make-ca/include.h2m

[SYNOPSYS]
make-ca -g

[EXAMPLES]
The make-ca script will process the certificates included in the certdata.txt
file for use in multiple certificate stores (if the required prerequisites are
present on the system). Additionally, any local certificates stored in
/etc/ssl/local will be imported to the certificate stores. Certificates in this
directory should be stored as PEM encoded OpenSSL trusted certificates.

The make-ca script depends on OpenSSL-1.1.0, P11-Kit-0.23, and optionally,
NSS-3.23 (for the MozTrust exetension). Additionally, Coreutils, gawk, and sed
are used. The default locations for output files can be tailored for your
environment via the /etc/make-ca.conf configuration file.

As of version 1.2, a p11-kit helper, copy-trust-modifications, is included
for use in p11-kit's trust-extract-compat script. Manual creation of OpenSSL
trusted certificates is no longer needed. Instead, import the certificate
using p11-kit's trust utility, and recreate the individual stores using the
update-ca-certificates script. A copy of any modified anchors will be placed
into $LOCALDIR (in the correct format) by the p11-kit helper script. The old
method is left for reference:

To create an OpenSSL trusted certificate from a regular PEM encoded file,
provided by a CA not included in Mozilla's certificate distribution, you need
to add trust arguments to the openssl command, and create a new certificate.
There are three trust types that are recognized by the make-ca.sh script,
SSL/TLS, S/Mime, and code signing. For example, using the CAcert root, if you
want it to be trusted for all three roles, the following commands will create
an appropriate OpenSSL trusted certificate:

  #\ install -vdm755 /etc/ssl/local \                                 
  #\ wget http://www.cacert.org/certs/root.crt \                      
  #\ openssl x509 -in root.crt -text -fingerprint \\ \                
                 -setalias "CAcert Class 1 root" \\ \                 
                 -addtrust serverAuth \\ \                            
                 -addtrust emailProtection \\ \                       
                 -addtrust codeSigning \\ \                           
            > /etc/ssl/local/CAcert_Class_1_root.pem

If one of the three trust arguments is omitted, the certificate is neither
trusted, nor rejected for that role. Clients that use OpenSSL or NSS
encountering this certificate will present a warning to the user. Clients using
GnuTLS without p11-kit support are not aware of trusted certificates. To
include this CA into the ca-bundle.crt (used for GnuTLS), it must have
serverAuth trust. Additionally, to explicitly disallow a certificate for a
particular use, replace the -addtrust flag with the -addreject flag.

Local trust overrides are handled entirely using the /etc/ssl/local directory.
To override Mozilla's trust values, simply make a copy of the certificate in
the local directory with alternate trust values.
Update documentation and program output 2017-09-23 06:27:31 +05:30			`[SYNOPSYS]`
			`make-ca -g`

			`[EXAMPLES]`
			`The make-ca script will process the certificates included in the certdata.txt`
make-ca, include.h2m: Add detailed dependncy info and add note about configuration file 2020-03-08 10:07:27 +05:30			`file for use in multiple certificate stores (if the required prerequisites are`
Update documentation and program output 2017-09-23 06:27:31 +05:30			`present on the system). Additionally, any local certificates stored in`
			`/etc/ssl/local will be imported to the certificate stores. Certificates in this`
			`directory should be stored as PEM encoded OpenSSL trusted certificates.`

make-ca, include.h2m: Add detailed dependncy info and add note about configuration file 2020-03-08 10:07:27 +05:30			`The make-ca script depends on OpenSSL-1.1.0, P11-Kit-0.23, and optionally,`
			`NSS-3.23 (for the MozTrust exetension). Additionally, Coreutils, gawk, and sed`
			`are used. The default locations for output files can be tailored for your`
			`environment via the /etc/make-ca.conf configuration file.`

			`As of version 1.2, a p11-kit helper, copy-trust-modifications, is included`
			`for use in p11-kit's trust-extract-compat script. Manual creation of OpenSSL`
			`trusted certificates is no longer needed. Instead, import the certificate`
			`using p11-kit's trust utility, and recreate the individual stores using the`
			`update-ca-certificates script. A copy of any modified anchors will be placed`
			`into $LOCALDIR (in the correct format) by the p11-kit helper script. The old`
			`method is left for reference:`

Update documentation and program output 2017-09-23 06:27:31 +05:30			`To create an OpenSSL trusted certificate from a regular PEM encoded file,`
			`provided by a CA not included in Mozilla's certificate distribution, you need`
			`to add trust arguments to the openssl command, and create a new certificate.`
			`There are three trust types that are recognized by the make-ca.sh script,`
			`SSL/TLS, S/Mime, and code signing. For example, using the CAcert root, if you`
			`want it to be trusted for all three roles, the following commands will create`
			`an appropriate OpenSSL trusted certificate:`

			`#\ install -vdm755 /etc/ssl/local \`
			`#\ wget http://www.cacert.org/certs/root.crt \`
			`#\ openssl x509 -in root.crt -text -fingerprint \\ \`
			`-setalias "CAcert Class 1 root" \\ \`
			`-addtrust serverAuth \\ \`
			`-addtrust emailProtection \\ \`
			`-addtrust codeSigning \\ \`
			`> /etc/ssl/local/CAcert_Class_1_root.pem`

			`If one of the three trust arguments is omitted, the certificate is neither`
			`trusted, nor rejected for that role. Clients that use OpenSSL or NSS`
			`encountering this certificate will present a warning to the user. Clients using`
			`GnuTLS without p11-kit support are not aware of trusted certificates. To`
			`include this CA into the ca-bundle.crt (used for GnuTLS), it must have`
			`serverAuth trust. Additionally, to explicitly disallow a certificate for a`
			`particular use, replace the -addtrust flag with the -addreject flag.`

			`Local trust overrides are handled entirely using the /etc/ssl/local directory.`
			`To override Mozilla's trust values, simply make a copy of the certificate in`
			`the local directory with alternate trust values.`
make-ca, include.h2m: Add detailed dependncy info and add note about configuration file 2020-03-08 10:07:27 +05:30