README: clarify functionality.

This commit is contained in:
DJ Lucas 2021-08-05 19:57:31 -05:00
parent d7c3b6f28b
commit 0c4cc4ab0d

44
README
View File

@ -8,9 +8,9 @@ distribution.
The make-ca script will process the certificates included in the certdata.txt
file, and place them in the system trust anchors, for use in multiple
certificate stores. Additionally, any local certificates stored in
/etc/ssl/local will also be imported into the system trust anchors and
certificate stores making it a full trust management utiltiy.
certificate stores. Additionally, any local OpenSSL Trusted certificates
stored in /etc/ssl/local will also be imported into the system trust anchors
and certificate stores making it a full trust management utiltiy.
The make-ca script depends on OpenSSL-1.1.0, P11-Kit-0.23, and optionally,
NSS-3.23 (for the MozTrust exetension). Additionally, Coreutils, gawk, and sed
@ -21,9 +21,11 @@ As of version 1.2, a p11-kit helper, copy-trust-modifications, is included
for use in p11-kit's trust-extract-compat script (which should be symlinked
to the user's path as update-ca-certificates). Manual creation of OpenSSL
trusted certificates is no longer needed. Instead, import the certificate
using p11-kit's trust utility, and recreate the individual stores using the
update-ca-certificates script. A copy of any modified anchors will be placed
into $LOCALDIR (in the correct format) by the p11-kit helper script.
using p11-kit's 'trust anchor --store /path/to/certificate.crt' functionality,
which will recreate the individual stores assigning serverAuth permissions to
the added certificate. A copy of any newly added anchors will be placed
into $LOCALDIR (in the correct format) by the p11-kit helper script, and the
individual stores will be recreated.
For the p11-kit distro hook, remove the "not configured" and "exit 1" lines
from trust/trust-extract-compat, and append the following:
@ -42,16 +44,14 @@ taking ownership for the results. You are strongly encouraged to define a
written inclusion policy, distribute all blacklisted files as a part of the
local directory, and to provide the written policy in the distributed package.
The manual instructions below have been left for reference.
To create an OpenSSL trusted certificate from a regular PEM encoded file,
provided by a CA not included in Mozilla's certificate distribution, you need
to add trust arguments to the openssl command, and create a new certificate.
There are three trust types that are recognized by the make-ca.sh script,
SSL/TLS, S/Mime, and code signing. For example, using the CAcert root, if you
want it to be trusted for all three roles, the following commands will create
an appropriate OpenSSL trusted certificate:
While the p11-kit trust utility can be used in most simple cases, you may
require additional trust arguments for certian certificates. In these cases,
you will need to manually create an OpenSSL trusted certificate from a regular
PEM encoded file (use -inform for der or pkcs7 encoded certs).There are three
trust types that are recognized by the make-ca.sh script, SSL/TLS, S/Mime, and
code signing. For example, using the CAcert root, if you want it to be trusted
for all three roles, the following commands will create an appropriate OpenSSL
Trusted certificate:
# install -vdm755 /etc/ssl/local &&
# wget http://www.cacert.org/certs/root.crt &&
@ -60,12 +60,12 @@ an appropriate OpenSSL trusted certificate:
> /etc/ssl/local/CAcert_Class_1_root.pem
If one of the three trust arguments is omitted, the certificate is neither
trusted, nor rejected for that role. Clients that use OpenSSL or NSS
encountering this certificate will present a warning to the user. Clients using
GnuTLS without p11-kit support are not aware of trusted certificates. To
include this CA into the ca-bundle.crt (used for GnuTLS), it must have
serverAuth trust. Additionally, to explicitly disallow a certificate for a
particular use, replace the -addtrust flag with the -addreject flag.
trusted, nor rejected for that role. Clients using GnuTLS without p11-kit
support are not aware of trusted certificates. To include this CA into the
ca-bundle.crt (used for GnuTLS linked applications not using the p11-module),
it must have serverAuth trust. Additionally, to explicitly disallow a
certificate for a particular use, replace the -addtrust flag with the
-addreject flag.
Local trust overrides are handled entirely using the /etc/ssl/local directory.
To override Mozilla's trust values, simply make a copy of the certificate in