Go to file
2019-01-01 19:35:19 -06:00
systemd Actually depend on the network-onlne.target. 2018-09-02 03:11:54 -05:00
CHANGELOG Fix certificate label in local certificates 2019-01-01 19:35:19 -06:00
CS.txt Add email and code signing single stores. 2017-09-27 00:32:19 -05:00
help2man Add Makefile and help2man script. 2017-09-14 21:29:03 -05:00
include.h2m Update documentation and program output 2017-09-22 19:57:31 -05:00
LICENSE Fix license again. 2017-09-19 00:33:25 -05:00
LICENSE.GPLv3 refactor, fix license, check executable bit 2017-09-19 00:31:40 -05:00
make-ca Fix certificate label in local certificates 2019-01-01 19:35:19 -06:00
make-ca.conf.dist Use md5sum values for anchors.txt to detect p11-kit changes 2019-01-01 14:08:35 -06:00
Makefile Allow definition of configuratino file and install default configuration file. 2018-12-01 17:21:37 -06:00
README Add anchorlist for use by p11-kit to utilize LOCALDIR 2018-12-28 00:41:01 -06:00

make-ca is a utility to deliver and manage a complete PKI configuration for
workstaitons and servers using only standard Unix utilities and OpenSSL. It
will optionally generate keystores for OpenJDK and NSS if already installed,
using a Mozilla cacerts.txt or like formatted file. It was originally developed
for use with Linux From Scratch to minimize dependencies for early system
build, but has been written to be generic enough for any Linux distribution.

The make-ca script will process the certificates included in the certdata.txt
file for use in multiple certificate stores (if the associated applications are
present on the system). Additionally, any local certificates stored in
/etc/ssl/local will be imported to the certificate stores. Certificates in this
directory should be stored as PEM encoded OpenSSL trusted certificates.

To create an OpenSSL trusted certificate from a regular PEM encoded file,
provided by a CA not included in Mozilla's certificate distribution, you need
to add trust arguments to the openssl command, and create a new certificate.
There are three trust types that are recognized by the make-ca.sh script,
SSL/TLS, S/Mime, and code signing. For example, using the CAcert root, if you
want it to be trusted for all three roles, the following commands will create
an appropriate OpenSSL trusted certificate:

# install -vdm755 /etc/ssl/local &&
# wget http://www.cacert.org/certs/root.crt &&
# openssl x509 -in root.crt -text -fingerprint -setalias "CAcert Class 1 root" \
          -addtrust serverAuth -addtrust emailProtection -addtrust codeSigning \
          > /etc/ssl/local/CAcert_Class_1_root.pem

If one of the three trust arguments is omitted, the certificate is neither
trusted, nor rejected for that role. Clients that use OpenSSL or NSS
encountering this certificate will present a warning to the user. Clients using
GnuTLS without p11-kit support are not aware of trusted certificates. To
include this CA into the ca-bundle.crt (used for GnuTLS), it must have
serverAuth trust. Additionally, to explicitly disallow a certificate for a
particular use, replace the -addtrust flag with the -addreject flag.

Local trust overrides are handled entirely using the /etc/ssl/local directory.
To override Mozilla's trust values, simply make a copy of the certificate in
the local directory with alternate trust values.

Additionally, for the p11-kit distro hook, remove the "not configured" and
"exit 1" lines from trust/trust-extract-compat.in, and add the following
commands:

===============================================================================
# Use make-ca to manage certificates
if [ -f /etc/make-ca.conf ]; then
    . /etc/make-ca.conf
else
    #Use defaults if make-ca.conf does not exist
    ANCHORDIR="/etc/pki/anchors"
    ANCHORLIST="/etc/pki/anchors.txt"
    LOCALDIR="/etc/ssl/local"
    CERTLIST=""
fi

# Create a list of certificates not present at previous run
for ca in `/bin/ls -1 --color=none "${ANCHORDIR}"` ; do
    /bin/grep "${ca}" "${ANCHORLIST}" 2>&1>/dev/null || \
        CERTLIST="${CERTLIST} ${ca}"
done

# Dump to a temporary directory
TEMPDIR=`mktemp -d`
/usr/bin/trust extract --filter=certificates --format=openssl-directory \
                       --overwrite "${TEMPDIR}"

# Copy new certificates to LOCALDIR
for certificate in `echo "${CERTLIST}"` ; do
    LABEL=`/bin/grep -m 1 "label:" "${ANCHORDIR}/${certificate}"`
    LABELNEW=`echo "${LABEL}" | \
                   /bin/sed -e 's@^label: @@' -e 's@"@@g' -e 's@ @_@g'`
    cp -v "${TEMPDIR}/${LABELNEW}.pem" "${LOCALDIR}"
    unset LABEL LABELNEW
done

# Clean up
rm -rf "${TEMPDIR}"
unset ANCHORDIR ANCHORLIST LOCALDIR CERTLIST TEMPDIR

# Generate a new trust store
/usr/sbin/make-ca -f
EOF
===============================================================================