Go to file
DJ Lucas 5f9c836053 Redirect errors in copy-trust-modifications script
Use update-ca-certificates for systemd service
2019-04-12 23:11:01 -05:00
systemd Redirect errors in copy-trust-modifications script 2019-04-12 23:11:01 -05:00
CHANGELOG Redirect errors in copy-trust-modifications script 2019-04-12 23:11:01 -05:00
copy-trust-modifications Redirect errors in copy-trust-modifications script 2019-04-12 23:11:01 -05:00
CS.txt Add email and code signing single stores. 2017-09-27 00:32:19 -05:00
help2man Add Makefile and help2man script. 2017-09-14 21:29:03 -05:00
include.h2m Update documentation and program output 2017-09-22 19:57:31 -05:00
LICENSE Fix license again. 2017-09-19 00:33:25 -05:00
LICENSE.GPLv3 refactor, fix license, check executable bit 2017-09-19 00:31:40 -05:00
make-ca Fix syntax error in check_arg() function 2019-04-12 22:32:02 -05:00
make-ca.conf.dist Changed default name of anchors list to use md5sums extension 2019-01-01 20:00:04 -06:00
Makefile Changed default name of anchors list to use md5sums extension 2019-01-01 20:00:04 -06:00
README Update README 2019-04-12 22:53:30 -05:00

make-ca is a utility to deliver and manage a complete PKI configuration for
workstaitons and servers using only standard Unix utilities, OpenSSL, and
p11-kit, using a Mozilla cacerts.txt or like file as the trust source. It can
optionally generate keystores for OpenJDK PKCS#12 and NSS if installed. It was
originally developed for use with Linux From Scratch to minimize dependencies
for early system build, but has been written to be generic enough for any Linux
distribution.

The make-ca script will process the certificates included in the certdata.txt
file, and place them in the system trust anchors, for use in multiple
certificate stores. Additionally, any local certificates stored in
/etc/ssl/local will also be imported into the system trust anchors and
certificate stores making it a full trust management utiltiy.

As of version 1.2, a p11-kit helper, copy-trust-modifications, is included
for use in p11-kit's trust-extract-compat script (which should be symlinked
to the user's path as update-ca-certificates). Manual creation of OpenSSL
trusted certificates is no longer needed. Instead, import the certificate
using p11-kit's trust utility, and recreate the individual stores using the
update-ca-certificates script. A copy of any modified anchors will be placed
into $LOCALDIR (in the correct format) by the p11-kit helper script.

For the p11-kit distro hook, remove the "not configured" and "exit 1" lines
from trust/trust-extract-compat.in, and append the following:
===============================================================================
# Copy existing modifications to local store
/usr/libexec/make-ca/copy-trust-modifications

# Generate a new trust store
/usr/sbin/make-ca -f -g
===============================================================================

The manual instructions below have been left for reference.

To create an OpenSSL trusted certificate from a regular PEM encoded file,
provided by a CA not included in Mozilla's certificate distribution, you need
to add trust arguments to the openssl command, and create a new certificate.
There are three trust types that are recognized by the make-ca.sh script,
SSL/TLS, S/Mime, and code signing. For example, using the CAcert root, if you
want it to be trusted for all three roles, the following commands will create
an appropriate OpenSSL trusted certificate:

# install -vdm755 /etc/ssl/local &&
# wget http://www.cacert.org/certs/root.crt &&
# openssl x509 -in root.crt -text -fingerprint -setalias "CAcert Class 1 root" \
          -addtrust serverAuth -addtrust emailProtection -addtrust codeSigning \
          > /etc/ssl/local/CAcert_Class_1_root.pem

If one of the three trust arguments is omitted, the certificate is neither
trusted, nor rejected for that role. Clients that use OpenSSL or NSS
encountering this certificate will present a warning to the user. Clients using
GnuTLS without p11-kit support are not aware of trusted certificates. To
include this CA into the ca-bundle.crt (used for GnuTLS), it must have
serverAuth trust. Additionally, to explicitly disallow a certificate for a
particular use, replace the -addtrust flag with the -addreject flag.

Local trust overrides are handled entirely using the /etc/ssl/local directory.
To override Mozilla's trust values, simply make a copy of the certificate in
the local directory with alternate trust values.