Author: bdubbs
Date: 2011-10-23 19:06:24 -0600 (Sun, 23 Oct 2011)
New Revision: 8915
Modified:
trunk/BOOK/general/genlib/libxslt.xml
trunk/BOOK/introduction/welcome/changelog.xml
trunk/BOOK/postlfs/security/cacerts.xml
Log:
Add routine to remove out of date CA certificates.
Modified: trunk/BOOK/general/genlib/libxslt.xml
===================================================================
--- trunk/BOOK/general/genlib/libxslt.xml 2011-10-23 22:03:46 UTC (rev
8914)
+++ trunk/BOOK/general/genlib/libxslt.xml 2011-10-24 01:06:24 UTC (rev
8915)
@@ -34,8 +34,7 @@
class="libraryfile">libxml2</filename> libraries to support
XSLT files.</para>
- &lfs65_checked;
- <para>&lfssvn_checked;20101029&lfssvn_checked2;</para>
+ &lfs70_checked;
<bridgehead renderas="sect3">Package Information</bridgehead>
<itemizedlist spacing="compact">
@@ -90,16 +89,6 @@
</sect2>
- <!-- <sect2 role="commands">
- <title>Command Explanations</title>
-
- <para><command>sed -i "s/\$(PYTHON_SITE_PACKAGES)/'&'/"
- configure</command>: The quotes around this variable were inadvertently
- removed in this release. This command puts the quotes back in so that
- the variable is not interpreted as a shell command.</para>
-
- </sect2> -->
-
<sect2 role="content">
<title>Contents</title>
Modified: trunk/BOOK/introduction/welcome/changelog.xml
===================================================================
--- trunk/BOOK/introduction/welcome/changelog.xml 2011-10-23 22:03:46 UTC
(rev 8914)
+++ trunk/BOOK/introduction/welcome/changelog.xml 2011-10-24 01:06:24 UTC
(rev 8915)
@@ -45,6 +45,10 @@
<para>October 23rd, 2011</para>
<itemizedlist>
<listitem>
+ <para>[bdubbs] - Add routine to remove out of date
+ CA certificates.</para>
+ </listitem>
+ <listitem>
<para>[bdubbs] - Update to libxml2-2.7.8.</para>
</listitem>
<listitem>
Modified: trunk/BOOK/postlfs/security/cacerts.xml
===================================================================
--- trunk/BOOK/postlfs/security/cacerts.xml 2011-10-23 22:03:46 UTC (rev
8914)
+++ trunk/BOOK/postlfs/security/cacerts.xml 2011-10-24 01:06:24 UTC (rev
8915)
@@ -129,7 +129,7 @@
create this script as the <systemitem class="username">root</systemitem>
user:</para>
- <screen><userinput>cat > /bin/make-ca.sh << "EOF"
+ <screen><userinput>cat > /bin/make-ca.sh << "EOF"
#!/bin/bash
# Begin make-ca.sh
# Script to populate OpenSSL's CApath from a bundle of PEM formatted CAs
@@ -227,6 +227,37 @@
chmod +x /bin/make-ca.sh</userinput></screen>
+ <para>Add a short script to remove expired certifictes from a directory.
+ Again create this script as the <systemitem
+ class="username">root</systemitem> user:</para>
+
+ <screen><userinput>cat > /bin/remove-expired-certs.sh << "EOF"
+#!/bin/bash
+# Begin /bin/remove-expired-certs.sh
+
+OPENSSL=/usr/bin/openssl
+DIR=/etc/ssl/certs
+
+if [ $# -gt 0 ]; then
+ DIR="$1"
+fi
+
+certs=$( find ${DIR} -type f -name "*.pem" -o -name "*.crt" )
+today=$( date +%Y%m%d )
+
+for cert in $certs; do
+ notafter=$( $OPENSSL x509 -enddate -in "${cert}" -noout )
+ date=$( echo ${notafter} | sed 's/^notAfter=//' )
+
+ if [ $( date -d "${date}" +%Y%m%d ) -lt ${today} ]; then
+ echo "${cert} is expired! Removing..."
+ rm -f "${cert}"
+ fi
+done
+EOF
+
+chmod +x /bin/remove-expired-certs.sh</userinput></screen>
+
<para>The following commands will fetch the certificates and convert them to
the correct format. If desired, a web browser may be used instead of
<application>wget</application> but the file will need to be saved with the
@@ -239,14 +270,17 @@
wget --output-document certdata.txt $url &&
unset certhost certdir url &&
-make-ca.sh</userinput></screen>
+make-ca.sh &&
+remove-expired-certs.sh certs</userinput></screen>
<para>Now, as the <systemitem class="username">root</systemitem>
user:</para>
-<screen><userinput>install -d ${SSLDIR}/certs &&
-cp -v certs/*.pem ${SSLDIR}/certs &&
-c_rehash &&
-install ca-bundle.crt ${SSLDIR}</userinput></screen>
+<screen><userinput>SSLDIR=/etc/ssl
&&
+install -d ${SSLDIR}/certs &&
+cp -v certs/*.pem ${SSLDIR}/certs &&
+c_rehash &&
+install BLFS-ca-bundle*.crt ${SSLDIR}/ca-bundle.crt &&
+unset SSLDIR</userinput></screen>
<para>Finally, clean up the current directory:</para>
@@ -263,7 +297,7 @@
<segtitle>Installed Directories</segtitle>
<seglistitem>
- <seg>make-ca.sh and make-cert.pl</seg>
+ <seg>make-ca.sh, make-cert.pl and remove-expired-certs.sh</seg>
<seg>None</seg>
<seg>/etc/ssl/certs</seg>
</seglistitem>
@@ -296,6 +330,18 @@
</indexterm>
</listitem>
</varlistentry>
+
+ <varlistentry id="remove-expired-certs">
+ <term><command>remove-expired-certs.sh</command></term>
+ <listitem>
+ <para>is a utility <application>perl</application> script that
+ removed expired certificates fom a directory. The defaut
+ directory is <filename
class='directory'>/etc/ssl/ceerts</filename>.</para>
+ <indexterm zone="cacerts remove-expired-certs">
+ <primary
sortas="b-remove-expired-certs">remove-expired-certs</primary>
+ </indexterm>
+ </listitem>
+ </varlistentry>
</variablelist>
</sect2>
--
http://linuxfromscratch.org/mailman/listinfo/blfs-book
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
