2017-09-25 07:48:16 +05:30
|
|
|
make-ca is a utility to deliver and manage a complete PKI configuration for
|
|
|
|
workstaitons and servers using only standard Unix utilities and OpenSSL. It
|
|
|
|
will optionally generate keystores for OpenJDK and NSS if already installed,
|
|
|
|
using a Mozilla cacerts.txt or like formatted file. It was originally developed
|
|
|
|
for use with Linux From Scratch to minimize dependencies for early system
|
|
|
|
build, but has been written to be generic enough for any Linux distribution.
|
2017-09-19 11:01:40 +05:30
|
|
|
|
|
|
|
The make-ca script will process the certificates included in the certdata.txt
|
|
|
|
file for use in multiple certificate stores (if the associated applications are
|
|
|
|
present on the system). Additionally, any local certificates stored in
|
|
|
|
/etc/ssl/local will be imported to the certificate stores. Certificates in this
|
|
|
|
directory should be stored as PEM encoded OpenSSL trusted certificates.
|
|
|
|
|
|
|
|
To create an OpenSSL trusted certificate from a regular PEM encoded file,
|
|
|
|
provided by a CA not included in Mozilla's certificate distribution, you need
|
|
|
|
to add trust arguments to the openssl command, and create a new certificate.
|
|
|
|
There are three trust types that are recognized by the make-ca.sh script,
|
|
|
|
SSL/TLS, S/Mime, and code signing. For example, using the CAcert root, if you
|
|
|
|
want it to be trusted for all three roles, the following commands will create
|
|
|
|
an appropriate OpenSSL trusted certificate:
|
|
|
|
|
|
|
|
# install -vdm755 /etc/ssl/local &&
|
|
|
|
# wget http://www.cacert.org/certs/root.crt &&
|
|
|
|
# openssl x509 -in root.crt -text -fingerprint -setalias "CAcert Class 1 root" \
|
|
|
|
-addtrust serverAuth -addtrust emailProtection -addtrust codeSigning \
|
|
|
|
> /etc/ssl/local/CAcert_Class_1_root.pem
|
|
|
|
|
|
|
|
If one of the three trust arguments is omitted, the certificate is neither
|
|
|
|
trusted, nor rejected for that role. Clients that use OpenSSL or NSS
|
|
|
|
encountering this certificate will present a warning to the user. Clients using
|
|
|
|
GnuTLS without p11-kit support are not aware of trusted certificates. To
|
|
|
|
include this CA into the ca-bundle.crt (used for GnuTLS), it must have
|
|
|
|
serverAuth trust. Additionally, to explicitly disallow a certificate for a
|
|
|
|
particular use, replace the -addtrust flag with the -addreject flag.
|
|
|
|
|
2017-09-21 11:09:18 +05:30
|
|
|
Local trust overrides are handled entirely using the /etc/ssl/local directory.
|
2017-09-21 11:10:23 +05:30
|
|
|
To override Mozilla's trust values, simply make a copy of the certificate in
|
2017-09-21 11:09:18 +05:30
|
|
|
the local directory with alternate trust values.
|
2018-12-28 12:11:01 +05:30
|
|
|
|
|
|
|
Additionally, for the p11-kit distro hook, remove the "not configured" and
|
|
|
|
"exit 1" lines from trust/trust-extract-compat.in, and add the following
|
|
|
|
commands:
|
|
|
|
|
|
|
|
===============================================================================
|
|
|
|
# Use make-ca to manage certificates
|
|
|
|
if [ -f /etc/make-ca.conf ]; then
|
|
|
|
. /etc/make-ca.conf
|
|
|
|
else
|
|
|
|
#Use defaults if make-ca.conf does not exist
|
|
|
|
ANCHORDIR="/etc/pki/anchors"
|
|
|
|
ANCHORLIST="/etc/pki/anchors.txt"
|
|
|
|
LOCALDIR="/etc/ssl/local"
|
|
|
|
CERTLIST=""
|
|
|
|
fi
|
|
|
|
|
|
|
|
# Create a list of certificates not present at previous run
|
|
|
|
for ca in `/bin/ls -1 --color=none "${ANCHORDIR}"` ; do
|
|
|
|
/bin/grep "${ca}" "${ANCHORLIST}" 2>&1>/dev/null || \
|
|
|
|
CERTLIST="${CERTLIST} ${ca}"
|
|
|
|
done
|
|
|
|
|
|
|
|
# Dump to a temporary directory
|
|
|
|
TEMPDIR=`mktemp -d`
|
|
|
|
/usr/bin/trust extract --filter=certificates --format=openssl-directory \
|
|
|
|
--overwrite "${TEMPDIR}"
|
|
|
|
|
|
|
|
# Copy new certificates to LOCALDIR
|
|
|
|
for certificate in `echo "${CERTLIST}"` ; do
|
|
|
|
LABEL=`/bin/grep -m 1 "label:" "${ANCHORDIR}/${certificate}"`
|
|
|
|
LABELNEW=`echo "${LABEL}" | \
|
|
|
|
/bin/sed -e 's@^label: @@' -e 's@"@@g' -e 's@ @_@g'`
|
|
|
|
cp -v "${TEMPDIR}/${LABELNEW}.pem" "${LOCALDIR}"
|
|
|
|
unset LABEL LABELNEW
|
|
|
|
done
|
|
|
|
|
|
|
|
# Clean up
|
|
|
|
rm -rf "${TEMPDIR}"
|
|
|
|
unset ANCHORDIR ANCHORLIST LOCALDIR CERTLIST TEMPDIR
|
|
|
|
|
|
|
|
# Generate a new trust store
|
|
|
|
/usr/sbin/make-ca -f
|
|
|
|
EOF
|
|
|
|
===============================================================================
|
|
|
|
|