From 497dd83b6cc6f54986d9a66b3a65dc9b20f83cc7 Mon Sep 17 00:00:00 2001 From: DJ Lucas Date: Fri, 22 Sep 2017 19:57:31 -0500 Subject: [PATCH] Update documentation and program output --- CHANGELOG | 1 + Makefile | 6 ++-- include.h2m | 38 ++++++++++++++++++++++ make-ca | 93 +++++++++++++++++++++++++++++------------------------ 4 files changed, 93 insertions(+), 45 deletions(-) create mode 100644 include.h2m diff --git a/CHANGELOG b/CHANGELOG index 706c3c0..b3879b4 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -4,6 +4,7 @@ - Always add REVISION value to installed certdata.txt - Use HG revision value (fall back to date for local files) - Allow rebuid within DESTDIR + - Complete manpage 0.1 - Check executable bit for CERTUTIL, KEYTOOL, and OPENSSL - Allow global configuration file - Use correct license text (MIT) diff --git a/Makefile b/Makefile index f89f49b..e217a57 100644 --- a/Makefile +++ b/Makefile @@ -3,13 +3,13 @@ SBINDIR=/usr/sbin all: chmod 755 make-ca help2man - ./help2man -N ./make-ca -o make-ca.1 + ./help2man -s 8 -N ./make-ca -i include.h2m -o make-ca.8 install: /usr/bin/install -vdm755 $(DESTDIR)$(SBINDIR) - /usr/bin/install -vdm755 $(DESTDIR)$(MANDIR)/man1 + /usr/bin/install -vdm755 $(DESTDIR)$(MANDIR)/man8 install -vm755 make-ca $(DESTDIR)$(SBINDIR) - install -vm644 make-ca.1 $(DESTDIR)$(MANDIR)/man1 + install -vm644 make-ca.8 $(DESTDIR)$(MANDIR)/man8 .PHONY: all install diff --git a/include.h2m b/include.h2m new file mode 100644 index 0000000..d24224e --- /dev/null +++ b/include.h2m @@ -0,0 +1,38 @@ +[SYNOPSYS] +make-ca -g + +[EXAMPLES] +The make-ca script will process the certificates included in the certdata.txt +file for use in multiple certificate stores (if the associated applications are +present on the system). Additionally, any local certificates stored in +/etc/ssl/local will be imported to the certificate stores. Certificates in this +directory should be stored as PEM encoded OpenSSL trusted certificates. + +To create an OpenSSL trusted certificate from a regular PEM encoded file, +provided by a CA not included in Mozilla's certificate distribution, you need +to add trust arguments to the openssl command, and create a new certificate. +There are three trust types that are recognized by the make-ca.sh script, +SSL/TLS, S/Mime, and code signing. For example, using the CAcert root, if you +want it to be trusted for all three roles, the following commands will create +an appropriate OpenSSL trusted certificate: + + #\ install -vdm755 /etc/ssl/local \ + #\ wget http://www.cacert.org/certs/root.crt \ + #\ openssl x509 -in root.crt -text -fingerprint \\ \ + -setalias "CAcert Class 1 root" \\ \ + -addtrust serverAuth \\ \ + -addtrust emailProtection \\ \ + -addtrust codeSigning \\ \ + > /etc/ssl/local/CAcert_Class_1_root.pem + +If one of the three trust arguments is omitted, the certificate is neither +trusted, nor rejected for that role. Clients that use OpenSSL or NSS +encountering this certificate will present a warning to the user. Clients using +GnuTLS without p11-kit support are not aware of trusted certificates. To +include this CA into the ca-bundle.crt (used for GnuTLS), it must have +serverAuth trust. Additionally, to explicitly disallow a certificate for a +particular use, replace the -addtrust flag with the -addreject flag. + +Local trust overrides are handled entirely using the /etc/ssl/local directory. +To override Mozilla's trust values, simply make a copy of the certificate in +the local directory with alternate trust values. diff --git a/make-ca b/make-ca index e475fda..259d681 100644 --- a/make-ca +++ b/make-ca @@ -8,7 +8,7 @@ # Authors: DJ Lucas # Bruce Dubbs -VERSION="0.1" +VERSION="0.2" # Get/set defaults if test -f /etc/make-ca.conf; then @@ -233,63 +233,72 @@ function check_arg(){ function showhelp(){ echo "" - echo "`basename ${0}` converts certdata.txt (provided by the Mozilla Foundation)" - echo "into a complete PKI distribution for use with LFS or like distributions." + echo "`basename ${0}` is a utility to deliver and manage a complete PKI configuration" + echo "for workstaitons and servers using only standard Unix utilities and OpenSSL. It" + echo "will optionally generate keystores for OpenJDK and NSS if already installed," + echo "using a Mozilla cacerts.txt or like formatted file. It was originally developed" + echo "for use with Linux From Scratch to minimize dependencies for early system" + echo "build, but has been written to be generic enough for any Linux distribution." echo "" - echo " -C --certdata The certdata.txt file (provided by Mozilla)" - echo " Default: ./certdata.txt" + echo " -C, --certdata [certdata.txt]" + echo " The location of the certificates source." echo "" - echo " -D --destdir Change the output directory and use relative" + echo " -D, --destdir [/]" + echo " Change the output directory and use relative" echo " paths for all other values." - echo " Default: unset" echo "" - echo " -P --pkidir The output PKI directory - Cannot be used with" - echo " the -a/--anchordir or -n/--nssdb switches" - echo " Default: /etc/pki" + echo " -P, --pkidir [/etc/pki]" + echo " The output PKI directory - Cannot be used with" + echo " the -a / --anchordir or -n / --nssdb switches" echo "" - echo " -S --ssldir The output SSL root direcotry - Cannot be used" - echo " with the -c/--cafile, -d/--cadir, or" - echo " -j/--javacerts switches" - echo " Defualt: /etc/ssl" + echo " -S, --ssldir [/etc/ssl]" + echo " The output SSL root direcotry - Cannot be used" + echo " with the -c / --cafile, -d / --cadir, or" + echo " -j / --javacerts switches" echo "" - echo " -a --anchordir The output directory for OpenSSL trusted" + echo " -a, --anchordir [\$PKIDIR/anchors]" + echo " The output directory for OpenSSL trusted" echo " CA certificates used as trust anchors." - echo " Default: \$PKIDIR/anchors" echo "" - echo " -c --cafile The output filename for the PEM formated bundle" - echo " Default: \$SSLDIR/ca-bundle.crt" + echo " -c, --cafile [\$SSLDIR/ca-bundle.crt]" + echo " The output filename for the PEM formated bundle" echo "" - echo " -d --cadir The output directory for the OpenSSL trusted" + echo " -d, --cadir [\$SSLDIR/certs]" + echo " The output directory for the OpenSSL trusted" echo " CA certificates" - echo " Deault: \$SSLDIR/certs/" echo "" - echo " -g --get Download certdata.txt directly from Mozilla's" + echo " -j, --javacerts [\$SSLDIR/java/cacerts]" + echo " The output path for the Java cacerts file" + echo "" + echo " -l, --localdir [\$SSLDIR/local]" + echo " The path to a local set of OpenSSL trusted" + echo " certificates, used to both override trust bits" + echo " from upstream sources and provide locally" + echo " provided certifiates." + echo "" + echo " -n, --nssdb [\$PKIDIR/nssdb]" + echo " The output path for the shared NSS DB" + echo "" + echo " -k, --keytool [PATH]" + echo " The path to the java keytool utility" + echo "" + echo " -s, --openssl [PATH]" + echo " The path to the openssl utility" + echo "" + echo " -t, --certutil [PATH]" + echo " The path the certutil utility" + echo "" + echo " -f, --force Force run, even if source is not newer" + echo "" + echo " -g, --get Download certdata.txt directly from Mozilla's" echo " Mecurial server." echo "" - echo " -j --javacerts The output path for the Java cacerts file" - echo " Default: \$SSLDIR/java/cacerts" + echo " -h, --help Show this help message and exit" echo "" - echo " -l --localdir The path to a local set of OpenSSL trusted" - echo " certificates to include in the output" - echo " Default: \$SSLDIR/local" - echo "" - echo " -n --nssdb The output path for the shared NSS DB" - echo " Default: \$PKIDIR/nssdb" - echo "" - echo " -k --keytool The path to the java keytool utility" - echo "" - echo " -r --rebuild Rebuild the enitre PKI tree using the previous" + echo " -r, --rebuild Rebuild the enitre PKI tree using the previous" echo " certdata.txt file." echo "" - echo " -s --openssl The path to the openssl utility" - echo "" - echo " -t --certutil The path the certutil utility" - echo "" - echo " -f --force Force run, even if source is not newer" - echo "" - echo " -h --help Show this help message and exit" - echo "" - echo " -v --version Show version information and exit" + echo " -v. --version Show version information and exit" echo "" echo "Example: `basename ${0}` -f -C ~/certdata.txt" echo ""