Add anchorlist for use by p11-kit to utilize LOCALDIR
This commit is contained in:
parent
2526d6b813
commit
33cdab2a45
@ -1,3 +1,4 @@
|
||||
1.1 - Add anchorlist for use by p11-kit to utilize LOCALDIR
|
||||
1.0 - Move bundle defaults to /etc/pki/tls/{certs,java}/
|
||||
- Fix invalid test cases on command line processing
|
||||
- Remove -c/--cadir flags, replace with -b/--bundledir to store
|
||||
|
46
README
46
README
@ -36,3 +36,49 @@ particular use, replace the -addtrust flag with the -addreject flag.
|
||||
Local trust overrides are handled entirely using the /etc/ssl/local directory.
|
||||
To override Mozilla's trust values, simply make a copy of the certificate in
|
||||
the local directory with alternate trust values.
|
||||
|
||||
Additionally, for the p11-kit distro hook, remove the "not configured" and
|
||||
"exit 1" lines from trust/trust-extract-compat.in, and add the following
|
||||
commands:
|
||||
|
||||
===============================================================================
|
||||
# Use make-ca to manage certificates
|
||||
if [ -f /etc/make-ca.conf ]; then
|
||||
. /etc/make-ca.conf
|
||||
else
|
||||
#Use defaults if make-ca.conf does not exist
|
||||
ANCHORDIR="/etc/pki/anchors"
|
||||
ANCHORLIST="/etc/pki/anchors.txt"
|
||||
LOCALDIR="/etc/ssl/local"
|
||||
CERTLIST=""
|
||||
fi
|
||||
|
||||
# Create a list of certificates not present at previous run
|
||||
for ca in `/bin/ls -1 --color=none "${ANCHORDIR}"` ; do
|
||||
/bin/grep "${ca}" "${ANCHORLIST}" 2>&1>/dev/null || \
|
||||
CERTLIST="${CERTLIST} ${ca}"
|
||||
done
|
||||
|
||||
# Dump to a temporary directory
|
||||
TEMPDIR=`mktemp -d`
|
||||
/usr/bin/trust extract --filter=certificates --format=openssl-directory \
|
||||
--overwrite "${TEMPDIR}"
|
||||
|
||||
# Copy new certificates to LOCALDIR
|
||||
for certificate in `echo "${CERTLIST}"` ; do
|
||||
LABEL=`/bin/grep -m 1 "label:" "${ANCHORDIR}/${certificate}"`
|
||||
LABELNEW=`echo "${LABEL}" | \
|
||||
/bin/sed -e 's@^label: @@' -e 's@"@@g' -e 's@ @_@g'`
|
||||
cp -v "${TEMPDIR}/${LABELNEW}.pem" "${LOCALDIR}"
|
||||
unset LABEL LABELNEW
|
||||
done
|
||||
|
||||
# Clean up
|
||||
rm -rf "${TEMPDIR}"
|
||||
unset ANCHORDIR ANCHORLIST LOCALDIR CERTLIST TEMPDIR
|
||||
|
||||
# Generate a new trust store
|
||||
/usr/sbin/make-ca -f
|
||||
EOF
|
||||
===============================================================================
|
||||
|
||||
|
4
make-ca
4
make-ca
@ -24,6 +24,7 @@ else
|
||||
OPENSSL="/usr/bin/openssl"
|
||||
TRUST="/usr/bin/trust"
|
||||
ANCHORDIR="${PKIDIR}/anchors"
|
||||
ANCHORLIST="${PKIDIR}/anchors.txt"
|
||||
BUNDLEDIR="${PKIDIR}/tls/certs"
|
||||
CABUNDLE="${BUNDLEDIR}/ca-bundle.crt"
|
||||
SMBUNDLE="${BUNDLEDIR}/email-ca-bundle.crt"
|
||||
@ -848,6 +849,9 @@ fi
|
||||
# Clean up the mess
|
||||
rm -rf "${TEMPDIR}"
|
||||
|
||||
# Build ANCHORLIST
|
||||
/bin/ls -1 --color=none "${ANCHORDIR}" > "${ANCHORLIST}"
|
||||
|
||||
# Build alternate formats using p11-kit trust (if not using DESTDIR)
|
||||
if test "x${DESTDIR}" == "x"; then
|
||||
mkdir -p "${BUNDLEDIR}" "${KEYSTORE}"
|
||||
|
@ -8,6 +8,7 @@ KEYTOOL="${JAVA_HOME}/bin/keytool"
|
||||
OPENSSL="/usr/bin/openssl"
|
||||
TRUST="/usr/bin/trust"
|
||||
ANCHORDIR="${PKIDIR}/anchors"
|
||||
ANCHORLIST="${PKIDIR}/anchors.txt"
|
||||
BUNDLEDIR="${PKIDIR}/tls/certs"
|
||||
CABUNDLE="${BUNDLEDIR}/ca-bundle.crt"
|
||||
SMBUNDLE="${BUNDLEDIR}/email-ca-bundle.crt"
|
||||
|
Loading…
Reference in New Issue
Block a user