- Timestamp:
- 10/24/2011 01:06:24 AM (13 years ago)
- Branches:
- 10.0, 10.1, 11.0, 11.1, 11.2, 11.3, 12.0, 12.1, 7.10, 7.4, 7.5, 7.6, 7.6-blfs, 7.6-systemd, 7.7, 7.8, 7.9, 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, basic, bdubbs/svn, elogind, gnome, kde5-13430, kde5-14269, kde5-14686, kea, ken/TL2024, ken/inkscape-core-mods, ken/tuningfonts, krejzi/svn, lazarus, lxqt, nosym, perl-modules, plabs/newcss, plabs/python-mods, python3.11, qt5new, rahul/power-profiles-daemon, renodr/vulkan-addition, systemd-11177, systemd-13485, trunk, upgradedb, xry111/intltool, xry111/llvm18, xry111/soup3, xry111/test-20220226, xry111/xf86-video-removal
- Children:
- 778be14
- Parents:
- 599fda8
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
postlfs/security/cacerts.xml
r599fda8 rf216c56 130 130 user:</para> 131 131 132 <screen><userinput>cat > /bin/make-ca.sh << "EOF"132 <screen><userinput>cat > /bin/make-ca.sh << "EOF" 133 133 #!/bin/bash 134 134 # Begin make-ca.sh … … 228 228 chmod +x /bin/make-ca.sh</userinput></screen> 229 229 230 <para>Add a short script to remove expired certifictes from a directory. 231 Again create this script as the <systemitem 232 class="username">root</systemitem> user:</para> 233 234 <screen><userinput>cat > /bin/remove-expired-certs.sh << "EOF" 235 #!/bin/bash 236 # Begin /bin/remove-expired-certs.sh 237 238 OPENSSL=/usr/bin/openssl 239 DIR=/etc/ssl/certs 240 241 if [ $# -gt 0 ]; then 242 DIR="$1" 243 fi 244 245 certs=$( find ${DIR} -type f -name "*.pem" -o -name "*.crt" ) 246 today=$( date +%Y%m%d ) 247 248 for cert in $certs; do 249 notafter=$( $OPENSSL x509 -enddate -in "${cert}" -noout ) 250 date=$( echo ${notafter} | sed 's/^notAfter=//' ) 251 252 if [ $( date -d "${date}" +%Y%m%d ) -lt ${today} ]; then 253 echo "${cert} is expired! Removing..." 254 rm -f "${cert}" 255 fi 256 done 257 EOF 258 259 chmod +x /bin/remove-expired-certs.sh</userinput></screen> 260 230 261 <para>The following commands will fetch the certificates and convert them to 231 262 the correct format. If desired, a web browser may be used instead of … … 240 271 wget --output-document certdata.txt $url && 241 272 unset certhost certdir url && 242 make-ca.sh</userinput></screen> 273 make-ca.sh && 274 remove-expired-certs.sh certs</userinput></screen> 243 275 244 276 <para>Now, as the <systemitem class="username">root</systemitem> user:</para> 245 277 246 <screen><userinput>install -d ${SSLDIR}/certs && 247 cp -v certs/*.pem ${SSLDIR}/certs && 248 c_rehash && 249 install ca-bundle.crt ${SSLDIR}</userinput></screen> 278 <screen><userinput>SSLDIR=/etc/ssl && 279 install -d ${SSLDIR}/certs && 280 cp -v certs/*.pem ${SSLDIR}/certs && 281 c_rehash && 282 install BLFS-ca-bundle*.crt ${SSLDIR}/ca-bundle.crt && 283 unset SSLDIR</userinput></screen> 250 284 251 285 <para>Finally, clean up the current directory:</para> … … 264 298 265 299 <seglistitem> 266 <seg>make-ca.sh and make-cert.pl</seg>300 <seg>make-ca.sh, make-cert.pl and remove-expired-certs.sh</seg> 267 301 <seg>None</seg> 268 302 <seg>/etc/ssl/certs</seg> … … 297 331 </listitem> 298 332 </varlistentry> 333 334 <varlistentry id="remove-expired-certs"> 335 <term><command>remove-expired-certs.sh</command></term> 336 <listitem> 337 <para>is a utility <application>perl</application> script that 338 removed expired certificates fom a directory. The defaut 339 directory is <filename class='directory'>/etc/ssl/ceerts</filename>.</para> 340 <indexterm zone="cacerts remove-expired-certs"> 341 <primary sortas="b-remove-expired-certs">remove-expired-certs</primary> 342 </indexterm> 343 </listitem> 344 </varlistentry> 299 345 </variablelist> 300 346
Note:
See TracChangeset
for help on using the changeset viewer.