Go to file
2021-08-05 22:31:13 -05:00
systemd Revert change to use /usr/bin/update-ca-certifiates for systemd service 2019-04-13 00:06:14 -05:00
CHANGELOG make-ca: Use p11label value and .p11-kit extension for anchor naming. 2021-08-05 22:31:13 -05:00
copy-trust-modifications copy-trust-modifications: Use X509v3 Key Usage section to determine local trust for anchros added using tust utiltiy. 2021-08-05 22:27:20 -05:00
CS.txt CS.txt: Replace outdated URL with current URL 2020-11-12 20:39:35 -06:00
help2man help2man: revert update (requires full perl environment) 2020-03-07 22:55:16 -06:00
include.h2m make-ca, include.h2m: Add detailed dependncy info and add note about configuration file 2020-03-07 22:37:27 -06:00
LICENSE LICENSE,CHANGELOG: Fix grammar and typos. 2021-08-05 20:48:55 -05:00
LICENSE.GPLv3 refactor, fix license, check executable bit 2017-09-19 00:31:40 -05:00
LICENSE.MIT LICENSE{,.MIT}:Clarify dual license. 2021-08-05 20:06:50 -05:00
make-ca make-ca: Use p11label value and .p11-kit extension for anchor naming. 2021-08-05 22:31:13 -05:00
make-ca.conf.dist make-ca.conf.dist: Fix typos in comment 2020-11-12 20:49:53 -06:00
Makefile Makefile: add dependency so "make install" won't need -j1 2020-02-05 14:47:02 +08:00
README CHANGELOG,README: udpate version requirements for p11-kit to 0.23.19. 2021-08-05 20:40:36 -05:00

make-ca is a utility to deliver and manage a complete PKI configuration for
workstations and servers using only standard Unix utilities, OpenSSL, and
p11-kit, using a Mozilla cacerts.txt or like file as the trust source. It can
optionally generate keystores for OpenJDK PKCS#12 and NSS if installed. It was
originally developed for use with Linux From Scratch to minimize dependencies
for early system build, but has been written to be generic enough for any Linux
distribution.

The make-ca script will process the certificates included in the certdata.txt
file, and place them in the system trust anchors, for use in multiple
certificate stores. Additionally, any local OpenSSL Trusted  certificates
stored in /etc/ssl/local will also be imported into the system trust anchors
and certificate stores making it a full trust management utiltiy.

The make-ca script depends on OpenSSL >= 1.1.0, P11-Kit >= 0.23.19, and
optionally NSS >= 3.23 and Java >= 1.7. Additionally, Coreutils, gawk, and
sed are used. The default locations for output files can be tailored for
your environment via the /etc/make-ca.conf configuration file.

A p11-kit helper, copy-trust-modifications, is included for use in p11-kit's
trust-extract-compat script (which should be symlinked to the user's path as
update-ca-certificates). Manual creation of OpenSSL Trusted certificates is no
longer required for general use. Instead, import the certificate using
p11-kit's 'trust anchor --store /path/to/certificate.crt' functionality,
which will recreate the individual stores assigning serverAuth permissions to
the added certificate. A copy of any newly added anchors will be placed
into $LOCALDIR (in the correct format) by the p11-kit helper script, and the
individual stores will be recreated.

For the p11-kit distro hook, remove the "not configured" and "exit 1" lines
from trust/trust-extract-compat, and append the following:
===============================================================================
# Copy existing modifications to local store
/usr/libexec/make-ca/copy-trust-modifications

# Generate a new trust store
/usr/sbin/make-ca -f -g
===============================================================================

If you wish to distribute the results of this script as a standalone package,
unlike in the BLFS distribution for which it was originally written, where the
end user is ultimately responsible for the content, you, as the distributor, are
taking ownership for the results. You are strongly encouraged to define a
written inclusion policy, distribute all blacklisted files as a part of the
local directory, and to provide the written policy in the distributed package.

While the p11-kit trust utility can be used in most simple cases, you may
require additional trust arguments for certian certificates. In these cases,
you will need to manually create an OpenSSL trusted certificate from a regular
PEM encoded file (use -inform for der or pkcs7 encoded certs).There are three
trust types that are recognized by the make-ca.sh script, SSL/TLS, S/Mime, and
code signing. For example, using the CAcert root, if you want it to be trusted
for all three roles, the following commands will create an appropriate OpenSSL
Trusted certificate:

# install -vdm755 /etc/ssl/local &&
# wget http://www.cacert.org/certs/root.crt &&
# openssl x509 -in root.crt -text -fingerprint -setalias "CAcert Class 1 root" \
          -addtrust serverAuth -addtrust emailProtection -addtrust codeSigning \
          > /etc/ssl/local/CAcert_Class_1_root.pem

If one of the three trust arguments is omitted, the certificate is neither
trusted, nor rejected for that role. Clients using GnuTLS without p11-kit
support are not aware of trusted certificates. To include this CA into the
ca-bundle.crt (used for GnuTLS linked applications not using the p11-module),
it must have serverAuth trust. Additionally, to explicitly disallow a
certificate for a particular use, replace the -addtrust flag with the
-addreject flag.

Local trust overrides are handled entirely using the /etc/ssl/local directory.
To override Mozilla's trust values, simply make a copy of the certificate in
the local directory with alternate trust values.