Author: dj
Date: Sat Feb 23 21:03:15 2019
New Revision: 21237
Log:
Moved example configuration for make-ca to the configuration section.
Modified:
trunk/BOOK/general.ent
trunk/BOOK/introduction/welcome/changelog.xml
trunk/BOOK/postlfs/security/make-ca.xml
Modified: trunk/BOOK/general.ent
==============================================================================
--- trunk/BOOK/general.ent Fri Feb 22 14:42:23 2019 (r21236)
+++ trunk/BOOK/general.ent Sat Feb 23 21:03:15 2019 (r21237)
@@ -1,12 +1,12 @@
<!-- $LastChangedBy$ $Date$ -->
-<!ENTITY day "22"> <!-- Always 2 digits -->
+<!ENTITY day "24"> <!-- Always 2 digits -->
<!ENTITY month "02"> <!-- Always 2 digits -->
<!ENTITY year "2019">
<!ENTITY copyrightdate "2001-&year;">
<!ENTITY copyholder "The BLFS Development Team">
<!ENTITY version "&year;-&month;-&day;">
-<!ENTITY releasedate "February 22nd, &year;">
+<!ENTITY releasedate "February 24th, &year;">
<!ENTITY pubdate "&year;-&month;-&day;"> <!-- metadata req. by TLDP -->
<!ENTITY blfs-version "svn"> <!-- svn|[release #] -->
<!ENTITY lfs-version "development"> <!-- x.y|development -->
Modified: trunk/BOOK/introduction/welcome/changelog.xml
==============================================================================
--- trunk/BOOK/introduction/welcome/changelog.xml Fri Feb 22 14:42:23
2019 (r21236)
+++ trunk/BOOK/introduction/welcome/changelog.xml Sat Feb 23 21:03:15
2019 (r21237)
@@ -42,6 +42,16 @@
</listitem>
-->
<listitem>
+ <para>February 24th, 2019</para>
+ <itemizedlist>
+ <listitem>
+ <para>[dj] - Moved example configuration for make-ca to the
+ configuration section.</para>
+ </listitem>
+ </itemizedlist>
+ </listitem>
+
+ <listitem>
<para>February 22nd, 2019</para>
<itemizedlist>
<listitem>
Modified: trunk/BOOK/postlfs/security/make-ca.xml
==============================================================================
--- trunk/BOOK/postlfs/security/make-ca.xml Fri Feb 22 14:42:23 2019
(r21236)
+++ trunk/BOOK/postlfs/security/make-ca.xml Sat Feb 23 21:03:15 2019
(r21237)
@@ -102,43 +102,8 @@
BLFS applications (if the recommended and optional applications are present
on the system). Any local certificates stored in
<filename>/etc/ssl/local</filename> will be imported to both the trust
- anchors and the generated certificate stores (overriding Mozilla's trust).
- Certificates in this directory should be stored as PEM encoded
- <application>OpenSSL</application> trusted certificates.</para>
-
- <para>To create an <application>OpenSSL</application> trusted certificate
- from a regular PEM encoded file, you need to add trust arguments to the
- <command>openssl</command> command, and create a new certificate. There are
- three trust types that are recognized by the
- <application>make-ca</application> script, SSL/TLS, S/Mime, and code
- signing. For example, using the
- <ulink url="http://www.cacert.org/";>CAcert</ulink> roots, if you want to
- trust both for all three roles, the following commands will create
- appropriate OpenSSL trusted certificates (run as the <systemitem
- class="username">root</systemitem> user after
- <xref linkend="wget"/> is installed):</para>
-
-<screen role="nodump"><userinput>install -vdm755 /etc/ssl/local &&
-wget http://www.cacert.org/certs/root.crt &&
-wget http://www.cacert.org/certs/class3.crt &&
-openssl x509 -in root.crt -text -fingerprint -setalias "CAcert Class 1 root" \
- -addtrust serverAuth -addtrust emailProtection -addtrust codeSigning \
- > /etc/ssl/local/CAcert_Class_1_root.pem &&
-openssl x509 -in class3.crt -text -fingerprint -setalias "CAcert Class 3 root"
\
- -addtrust serverAuth -addtrust emailProtection -addtrust codeSigning \
- > /etc/ssl/local/CAcert_Class_3_root.pem</userinput></screen>
-
- <para>If one of the three trust arguments is omitted, the certificate is
- neither trusted, nor rejected for that role. Clients that use
- <application>OpenSSL</application> or <application>NSS</application>
- encountering this certificate will present a warning to the user. Clients
- using <application>GnuTLS</application> without
- <application>p11-kit</application> support are not aware of trusted
- certificates. To include this CA into the ca-bundle.crt (used for
- <application>GnuTLS</application>), it must have <envar>serverAuth</envar>
- trust. Additionally, to explicitly disallow a certificate for a particular
- use, replace the <parameter>-addtrust</parameter> flag with the
- <parameter>-addreject</parameter> flag.</para>
+ anchors and the generated certificate stores (overriding Mozilla's
+ trust).</para>
<para>To install the various certificate stores, first install the
<application>make-ca</application> script into the correct location.
@@ -164,7 +129,7 @@
<para>Previous versions of BLFS used the path
<filename>/etc/ssl/ca-bundle.crt</filename> for the
<xref linkend="gnutls"/> certificate store. If software is still installed
- that references this file, create a compatibilty symlink for the old
+ that references this file, create a compatibility symlink for the old
location as the <systemitem class="username">root</systemitem> user:</para>
<screen role="nodump"><userinput>ln -sfv /etc/pki/tls/certs/ca-bundle.crt \
@@ -197,7 +162,7 @@
<sect2 role="configuration" id="make-ca-config">
<title>Configuring make-ca</title>
- <para>Genearally, no configuration is necessary on an LFS system, however,
+ <para>For most users, no additional configuration is necessary, however,
the default <filename>certdata.txt</filename> file provided by make-ca
is obtained from the mozilla-release branch, and is modified to provide a
Mercurial revision. This will be the correct version for most systems.
@@ -213,6 +178,73 @@
<primary sortas="e-etc-make-ca-conf">/etc/make-ca.conf</primary>
</indexterm>
+ <bridgehead renderas="sect3">About Trust Arguments</bridgehead>
+
+ <para>There are three trust types that are recognized by the
+ <application>make-ca</application> script, SSL/TLS, S/Mime, and code
+ signing. For <application>OpenSSL</application>, these are
+ <parameter>serverAuth</parameter>, <parameter>emailProtection</parameter>,
+ and <parameter>codeSigning</parameter> respectively. If one of the three
+ trust arguments is omitted, the certificate is neither trusted, nor
+ rejected for that role. Clients that use <application>OpenSSL</application>
+ or <application>NSS</application> encountering this certificate will
+ present a warning to the user. Clients using
+ <application>GnuTLS</application> without
+ <application>p11-kit</application> support are not aware of trusted
+ certificates. To include this CA into the
+ <filename>ca-bundle.crt</filename>,
+ <filename>email-ca-bundle.crt</filename>, or
+ <filename>objsign-ca-bundle.crt</filename> files
+ (the <application>GnuTLS</application> legacy bundles), it must have the
+ appropriate trust arguments.</para>
+
+ <bridgehead renderas="sect3">Adding Additional CA Certificates</bridgehead>
+
+ <para>The <filename class="directory">/etc/ssl/local</filename> directory
+ is available to add additional CA certificates to the system. For instance,
+ you might need to add an organization or government CA certificate.
+ Files in this directory must be in the <application>OpenSSL</application>
+ trusted certificate format. To create an <application>OpenSSL</application>
+ trusted certificate from a regular PEM encoded file, you need to add trust
+ arguments to the <command>openssl</command> command, and create a new
+ certificate. For example, using the
+ <ulink url="http://www.cacert.org/";>CAcert</ulink> roots, if you want to
+ trust both for all three roles, the following commands will create
+ appropriate OpenSSL trusted certificates (run as the
+ <systemitem class="username">root</systemitem> user after
+ <xref linkend="wget"/> is installed):</para>
+
+<screen role="nodump"><userinput>install -vdm755 /etc/ssl/local &&
+wget http://www.cacert.org/certs/root.crt &&
+wget http://www.cacert.org/certs/class3.crt &&
+openssl x509 -in root.crt -text -fingerprint -setalias "CAcert Class 1 root" \
+ -addtrust serverAuth -addtrust emailProtection -addtrust codeSigning \
+ > /etc/ssl/local/CAcert_Class_1_root.pem &&
+openssl x509 -in class3.crt -text -fingerprint -setalias "CAcert Class 3 root"
\
+ -addtrust serverAuth -addtrust emailProtection -addtrust codeSigning \
+ > /etc/ssl/local/CAcert_Class_3_root.pem</userinput></screen>
+
+ <bridgehead renderas="sect3">Overriding Mozilla Trust</bridgehead>
+
+ <para>Occasionally, there may be instances where you don't agree with
+ Mozilla's inclusion of a particular certificate authority. If you'd like
+ to override the default trust of a particular CA, simply create a copy of
+ the existing certificate in
+ <filename class="directory">/etc/ssl/local</filename> with different trust
+ arguments. For example, if you'd like to distrust the "Makebelieve_CA_Root"
+ file, run the following commands:</para>
+
+<screen role="nodump"><userinput>install -vdm755 /etc/ssl/local &&
+openssl x509 -in /etc/ssl/certs/Makebelieve_CA_Root.pem \
+ -text \
+ -fingerprint
+ -setalias "Disabled Makebelieve CA Root" \
+ -addreject serverAuth \
+ -addreject emailProtection \
+ -addreject codeSigning \
+ > /etc/ssl/local/Disabled_Makebelieve_CA_Root.pem &&
+/usr/sbin/make-ca -r -f</userinput></screen>
+
</sect2>
<sect2 role="content">
--
http://lists.linuxfromscratch.org/listinfo/blfs-book
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
