make-ca is a utility to deliver and manage a complete PKI configuration for workstaitons and servers using only standard Unix utilities and OpenSSL. It will optionally generate keystores for OpenJDK and NSS if already installed, using a Mozilla cacerts.txt or like formatted file. It was originally developed for use with Linux From Scratch to minimize dependencies for early system build, but has been written to be generic enough for any Linux distribution. The make-ca script will process the certificates included in the certdata.txt file for use in multiple certificate stores (if the associated applications are present on the system). Additionally, any local certificates stored in /etc/ssl/local will be imported into the certificate stores. Certificates in this directory should be stored as PEM encoded OpenSSL trusted certificates. As of version 1.2, a p11-kit helper, copy-trust-modifications, is included for use in p11-kit's trust-extract-compat script (which should be symlinked to the user's path as update-ca-certificates). Manual creation of OpenSSL trusted certificates is no longer needed. Instead, import the certificate using p11-kit's trust utility, and recreate the individual stores using the update-ca-certificates script. A copy of any modified anchors will be placed into $LOCALDIR (in the correct format) by the p11-kit helper script. For the p11-kit distro hook, remove the "not configured" and "exit 1" lines from trust/trust-extract-compat.in, and append the following: =============================================================================== # Copy existing modifications to local store /usr/libexec/make-ca/copy-trust-modifications # Generate a new trust store /usr/sbin/make-ca -f -g =============================================================================== The manual instructions below have been left for reference. To create an OpenSSL trusted certificate from a regular PEM encoded file, provided by a CA not included in Mozilla's certificate distribution, you need to add trust arguments to the openssl command, and create a new certificate. There are three trust types that are recognized by the make-ca.sh script, SSL/TLS, S/Mime, and code signing. For example, using the CAcert root, if you want it to be trusted for all three roles, the following commands will create an appropriate OpenSSL trusted certificate: # install -vdm755 /etc/ssl/local && # wget http://www.cacert.org/certs/root.crt && # openssl x509 -in root.crt -text -fingerprint -setalias "CAcert Class 1 root" \ -addtrust serverAuth -addtrust emailProtection -addtrust codeSigning \ > /etc/ssl/local/CAcert_Class_1_root.pem If one of the three trust arguments is omitted, the certificate is neither trusted, nor rejected for that role. Clients that use OpenSSL or NSS encountering this certificate will present a warning to the user. Clients using GnuTLS without p11-kit support are not aware of trusted certificates. To include this CA into the ca-bundle.crt (used for GnuTLS), it must have serverAuth trust. Additionally, to explicitly disallow a certificate for a particular use, replace the -addtrust flag with the -addreject flag. Local trust overrides are handled entirely using the /etc/ssl/local directory. To override Mozilla's trust values, simply make a copy of the certificate in the local directory with alternate trust values.