README,include.h2m: Sync documentation and fix typos.
This commit is contained in:
parent
8baf93dc22
commit
f7a8c9f2f3
10
README
10
README
@ -21,11 +21,9 @@ A p11-kit helper, copy-trust-modifications, is included for use in p11-kit's
|
|||||||
trust-extract-compat script (which should be symlinked to the user's path as
|
trust-extract-compat script (which should be symlinked to the user's path as
|
||||||
update-ca-certificates). Manual creation of OpenSSL Trusted certificates is no
|
update-ca-certificates). Manual creation of OpenSSL Trusted certificates is no
|
||||||
longer required for general use. Instead, import the certificate using
|
longer required for general use. Instead, import the certificate using
|
||||||
p11-kit's 'trust anchor --store /path/to/certificate.crt' functionality,
|
p11-kit's 'trust anchor --store /path/to/certificate.crt' functionality.
|
||||||
which will recreate the individual stores assigning serverAuth permissions to
|
This will recreate the individual stores assigning approriate permissions to
|
||||||
the added certificate. A copy of any newly added anchors will be placed
|
the newly added anchor(s). Additionally, a copy of any newly added anchors will be placed into $LOCALDIR for future use.
|
||||||
into $LOCALDIR (in the correct format) by the p11-kit helper script, and the
|
|
||||||
individual stores will be recreated.
|
|
||||||
|
|
||||||
For the p11-kit distro hook, remove the "not configured" and "exit 1" lines
|
For the p11-kit distro hook, remove the "not configured" and "exit 1" lines
|
||||||
from trust/trust-extract-compat, and append the following:
|
from trust/trust-extract-compat, and append the following:
|
||||||
@ -34,7 +32,7 @@ from trust/trust-extract-compat, and append the following:
|
|||||||
/usr/libexec/make-ca/copy-trust-modifications
|
/usr/libexec/make-ca/copy-trust-modifications
|
||||||
|
|
||||||
# Generate a new trust store
|
# Generate a new trust store
|
||||||
/usr/sbin/make-ca -f -g
|
/usr/sbin/make-ca -r
|
||||||
===============================================================================
|
===============================================================================
|
||||||
|
|
||||||
If you wish to distribute the results of this script as a standalone package,
|
If you wish to distribute the results of this script as a standalone package,
|
||||||
|
58
include.h2m
58
include.h2m
@ -3,31 +3,33 @@ make-ca -g
|
|||||||
|
|
||||||
[EXAMPLES]
|
[EXAMPLES]
|
||||||
The make-ca script will process the certificates included in the certdata.txt
|
The make-ca script will process the certificates included in the certdata.txt
|
||||||
file for use in multiple certificate stores (if the required prerequisites are
|
file, and place them in the system trust anchors, for use in multiple
|
||||||
present on the system). Additionally, any local certificates stored in
|
certificate stores. Additionally, any local OpenSSL Trusted certificates
|
||||||
/etc/ssl/local will be imported to the certificate stores. Certificates in this
|
stored in /etc/ssl/local will also be imported into the system trust anchors
|
||||||
directory should be stored as PEM encoded OpenSSL trusted certificates.
|
and certificate stores making it a full trust management utiltiy.
|
||||||
|
|
||||||
The make-ca script depends on OpenSSL-1.1.0, P11-Kit-0.23, and optionally,
|
The make-ca script depends on OpenSSL >= 1.1.0, P11-Kit >= 0.23.19, and
|
||||||
NSS-3.23 (for the MozTrust exetension). Additionally, Coreutils, gawk, and sed
|
optionally NSS >= 3.23 and Java >= 1.7. Additionally, Coreutils, gawk, and
|
||||||
are used. The default locations for output files can be tailored for your
|
sed are used. The default locations for output files can be tailored for
|
||||||
environment via the /etc/make-ca.conf configuration file.
|
your environment via the /etc/make-ca.conf configuration file.
|
||||||
|
|
||||||
As of version 1.2, a p11-kit helper, copy-trust-modifications, is included
|
A p11-kit helper, copy-trust-modifications, is included for use in p11-kit's
|
||||||
for use in p11-kit's trust-extract-compat script. Manual creation of OpenSSL
|
trust-extract-compat script (which should be symlinked to the user's path as
|
||||||
trusted certificates is no longer needed. Instead, import the certificate
|
update-ca-certificates). Manual creation of OpenSSL Trusted certificates is no
|
||||||
using p11-kit's trust utility, and recreate the individual stores using the
|
longer required for general use. Instead, import the certificate using
|
||||||
update-ca-certificates script. A copy of any modified anchors will be placed
|
p11-kit's 'trust anchor --store /path/to/certificate.crt' functionality.
|
||||||
into $LOCALDIR (in the correct format) by the p11-kit helper script. The old
|
This will recreate the individual stores assigning approriate permissions to
|
||||||
method is left for reference:
|
the newly added anchor(s). Additionally, a copy of any newly added anchors will
|
||||||
|
be placed into $LOCALDIR for future use.
|
||||||
|
|
||||||
To create an OpenSSL trusted certificate from a regular PEM encoded file,
|
While the p11-kit trust utility can be used in most simple cases, you may
|
||||||
provided by a CA not included in Mozilla's certificate distribution, you need
|
require additional trust arguments for certian certificates. In these cases,
|
||||||
to add trust arguments to the openssl command, and create a new certificate.
|
you will need to manually create an OpenSSL trusted certificate from a regular
|
||||||
There are three trust types that are recognized by the make-ca.sh script,
|
PEM encoded file (use -inform for der or pkcs7 encoded certs). There are three
|
||||||
SSL/TLS, S/Mime, and code signing. For example, using the CAcert root, if you
|
trust types that are recognized by the make-ca.sh script, SSL/TLS, S/Mime, and
|
||||||
want it to be trusted for all three roles, the following commands will create
|
code signing. For example, using the CAcert root, if you want it to be trusted
|
||||||
an appropriate OpenSSL trusted certificate:
|
for all three roles, the following commands will create an appropriate OpenSSL
|
||||||
|
Trusted certificate:
|
||||||
|
|
||||||
#\ install -vdm755 /etc/ssl/local \
|
#\ install -vdm755 /etc/ssl/local \
|
||||||
#\ wget http://www.cacert.org/certs/root.crt \
|
#\ wget http://www.cacert.org/certs/root.crt \
|
||||||
@ -39,12 +41,12 @@ an appropriate OpenSSL trusted certificate:
|
|||||||
> /etc/ssl/local/CAcert_Class_1_root.pem
|
> /etc/ssl/local/CAcert_Class_1_root.pem
|
||||||
|
|
||||||
If one of the three trust arguments is omitted, the certificate is neither
|
If one of the three trust arguments is omitted, the certificate is neither
|
||||||
trusted, nor rejected for that role. Clients that use OpenSSL or NSS
|
trusted, nor rejected for that role. Clients using GnuTLS without p11-kit
|
||||||
encountering this certificate will present a warning to the user. Clients using
|
support are not aware of trusted certificates. To include this CA into the
|
||||||
GnuTLS without p11-kit support are not aware of trusted certificates. To
|
ca-bundle.crt (used for GnuTLS linked applications not using the p11-module),
|
||||||
include this CA into the ca-bundle.crt (used for GnuTLS), it must have
|
it must have serverAuth trust. Additionally, to explicitly disallow a
|
||||||
serverAuth trust. Additionally, to explicitly disallow a certificate for a
|
certificate for a particular use, replace the -addtrust flag with the
|
||||||
particular use, replace the -addtrust flag with the -addreject flag.
|
-addreject flag.
|
||||||
|
|
||||||
Local trust overrides are handled entirely using the /etc/ssl/local directory.
|
Local trust overrides are handled entirely using the /etc/ssl/local directory.
|
||||||
To override Mozilla's trust values, simply make a copy of the certificate in
|
To override Mozilla's trust values, simply make a copy of the certificate in
|
||||||
|
Loading…
Reference in New Issue
Block a user