2021-09-14 07:46:41 +05:30
|
|
|
Future development will continue at https://github.com/lfs-book
|
|
|
|
|
2017-09-25 07:48:16 +05:30
|
|
|
make-ca is a utility to deliver and manage a complete PKI configuration for
|
2020-11-13 08:12:58 +05:30
|
|
|
workstations and servers using only standard Unix utilities, OpenSSL, and
|
2019-04-13 09:23:30 +05:30
|
|
|
p11-kit, using a Mozilla cacerts.txt or like file as the trust source. It can
|
|
|
|
optionally generate keystores for OpenJDK PKCS#12 and NSS if installed. It was
|
|
|
|
originally developed for use with Linux From Scratch to minimize dependencies
|
|
|
|
for early system build, but has been written to be generic enough for any Linux
|
|
|
|
distribution.
|
2017-09-19 11:01:40 +05:30
|
|
|
|
|
|
|
The make-ca script will process the certificates included in the certdata.txt
|
2019-04-13 09:23:30 +05:30
|
|
|
file, and place them in the system trust anchors, for use in multiple
|
2021-08-06 06:27:31 +05:30
|
|
|
certificate stores. Additionally, any local OpenSSL Trusted certificates
|
|
|
|
stored in /etc/ssl/local will also be imported into the system trust anchors
|
|
|
|
and certificate stores making it a full trust management utiltiy.
|
2019-01-05 09:05:03 +05:30
|
|
|
|
2021-08-06 07:10:36 +05:30
|
|
|
The make-ca script depends on OpenSSL >= 1.1.0, P11-Kit >= 0.23.19, and
|
|
|
|
optionally NSS >= 3.23 and Java >= 1.7. Additionally, Coreutils, gawk, and
|
|
|
|
sed are used. The default locations for output files can be tailored for
|
|
|
|
your environment via the /etc/make-ca.conf configuration file.
|
2020-03-08 08:16:09 +05:30
|
|
|
|
2021-08-06 07:10:36 +05:30
|
|
|
A p11-kit helper, copy-trust-modifications, is included for use in p11-kit's
|
|
|
|
trust-extract-compat script (which should be symlinked to the user's path as
|
|
|
|
update-ca-certificates). Manual creation of OpenSSL Trusted certificates is no
|
|
|
|
longer required for general use. Instead, import the certificate using
|
2021-08-06 09:13:41 +05:30
|
|
|
p11-kit's 'trust anchor --store /path/to/certificate.crt' functionality.
|
|
|
|
This will recreate the individual stores assigning approriate permissions to
|
|
|
|
the newly added anchor(s). Additionally, a copy of any newly added anchors will be placed into $LOCALDIR for future use.
|
2019-01-05 09:05:03 +05:30
|
|
|
|
|
|
|
For the p11-kit distro hook, remove the "not configured" and "exit 1" lines
|
2020-12-16 22:11:36 +05:30
|
|
|
from trust/trust-extract-compat, and append the following:
|
2019-01-05 09:05:03 +05:30
|
|
|
===============================================================================
|
|
|
|
# Copy existing modifications to local store
|
|
|
|
/usr/libexec/make-ca/copy-trust-modifications
|
|
|
|
|
2021-08-06 10:04:27 +05:30
|
|
|
# Update trust stores
|
2021-08-06 09:13:41 +05:30
|
|
|
/usr/sbin/make-ca -r
|
2019-01-05 09:05:03 +05:30
|
|
|
===============================================================================
|
|
|
|
|
2019-09-05 06:04:44 +05:30
|
|
|
If you wish to distribute the results of this script as a standalone package,
|
|
|
|
unlike in the BLFS distribution for which it was originally written, where the
|
2020-11-13 08:12:58 +05:30
|
|
|
end user is ultimately responsible for the content, you, as the distributor, are
|
2019-09-05 06:04:44 +05:30
|
|
|
taking ownership for the results. You are strongly encouraged to define a
|
|
|
|
written inclusion policy, distribute all blacklisted files as a part of the
|
|
|
|
local directory, and to provide the written policy in the distributed package.
|
|
|
|
|
2021-08-06 06:27:31 +05:30
|
|
|
While the p11-kit trust utility can be used in most simple cases, you may
|
|
|
|
require additional trust arguments for certian certificates. In these cases,
|
|
|
|
you will need to manually create an OpenSSL trusted certificate from a regular
|
2021-08-06 09:13:41 +05:30
|
|
|
PEM encoded file (use -inform for der or pkcs7 encoded certs). There are three
|
2021-08-06 06:27:31 +05:30
|
|
|
trust types that are recognized by the make-ca.sh script, SSL/TLS, S/Mime, and
|
|
|
|
code signing. For example, using the CAcert root, if you want it to be trusted
|
|
|
|
for all three roles, the following commands will create an appropriate OpenSSL
|
|
|
|
Trusted certificate:
|
2017-09-19 11:01:40 +05:30
|
|
|
|
|
|
|
# install -vdm755 /etc/ssl/local &&
|
|
|
|
# wget http://www.cacert.org/certs/root.crt &&
|
|
|
|
# openssl x509 -in root.crt -text -fingerprint -setalias "CAcert Class 1 root" \
|
|
|
|
-addtrust serverAuth -addtrust emailProtection -addtrust codeSigning \
|
|
|
|
> /etc/ssl/local/CAcert_Class_1_root.pem
|
|
|
|
|
|
|
|
If one of the three trust arguments is omitted, the certificate is neither
|
2021-08-06 06:27:31 +05:30
|
|
|
trusted, nor rejected for that role. Clients using GnuTLS without p11-kit
|
|
|
|
support are not aware of trusted certificates. To include this CA into the
|
|
|
|
ca-bundle.crt (used for GnuTLS linked applications not using the p11-module),
|
|
|
|
it must have serverAuth trust. Additionally, to explicitly disallow a
|
|
|
|
certificate for a particular use, replace the -addtrust flag with the
|
|
|
|
-addreject flag.
|
2017-09-19 11:01:40 +05:30
|
|
|
|
2017-09-21 11:09:18 +05:30
|
|
|
Local trust overrides are handled entirely using the /etc/ssl/local directory.
|
2017-09-21 11:10:23 +05:30
|
|
|
To override Mozilla's trust values, simply make a copy of the certificate in
|
2017-09-21 11:09:18 +05:30
|
|
|
the local directory with alternate trust values.
|