security

dj--- via blfs-book Sat, 13 Apr 2019 13:07:36 -0700

Author: dj
Date: Sat Apr 13 13:06:50 2019
New Revision: 21457

Log:
Update to make-ca-1.4.


Modified:
   trunk/BOOK/general.ent
   trunk/BOOK/introduction/welcome/changelog.xml
   trunk/BOOK/packages.ent
   trunk/BOOK/postlfs/security/make-ca.xml
   trunk/BOOK/postlfs/security/p11-kit.xml

Modified: trunk/BOOK/general.ent
==============================================================================
--- trunk/BOOK/general.ent      Sat Apr 13 10:44:36 2019        (r21456)
+++ trunk/BOOK/general.ent      Sat Apr 13 13:06:50 2019        (r21457)
@@ -1,12 +1,12 @@
 <!-- $LastChangedBy$ $Date$ -->
 
-<!ENTITY day          "11">                   <!-- Always 2 digits -->
+<!ENTITY day          "13">                   <!-- Always 2 digits -->
 <!ENTITY month        "04">                   <!-- Always 2 digits -->
 <!ENTITY year         "2019">
 <!ENTITY copyrightdate "2001-&year;">
 <!ENTITY copyholder   "The BLFS Development Team">
 <!ENTITY version      "&year;-&month;-&day;">
-<!ENTITY releasedate  "April 11th, &year;">
+<!ENTITY releasedate  "April 13th, &year;">
 <!ENTITY pubdate      "&year;-&month;-&day;"> <!-- metadata req. by TLDP -->
 <!ENTITY blfs-version "svn">                  <!-- svn|[release #] -->
 <!ENTITY lfs-version  "development">          <!-- x.y|development -->

Modified: trunk/BOOK/introduction/welcome/changelog.xml
==============================================================================
--- trunk/BOOK/introduction/welcome/changelog.xml       Sat Apr 13 10:44:36 
2019        (r21456)
+++ trunk/BOOK/introduction/welcome/changelog.xml       Sat Apr 13 13:06:50 
2019        (r21457)
@@ -42,6 +42,15 @@
     </listitem>
 -->
     <listitem>
+      <para>April 13th, 2019</para>
+      <itemizedlist>
+        <listitem>
+          <para>[dj] - Update to make-ca-1.4.</para>
+        </listitem>
+      </itemizedlist>
+    </listitem>
+
+    <listitem>
       <para>April 11th, 2019</para>
       <itemizedlist>
         <listitem>

Modified: trunk/BOOK/packages.ent
==============================================================================
--- trunk/BOOK/packages.ent     Sat Apr 13 10:44:36 2019        (r21456)
+++ trunk/BOOK/packages.ent     Sat Apr 13 13:06:50 2019        (r21457)
@@ -24,7 +24,7 @@
 <!ENTITY linux-pam-version            "1.3.0">
 <!ENTITY linux-pam-docs-version       "1.2.0">
 <!ENTITY libpwquality-version         "1.4.0">
-<!ENTITY make-ca-version              "1.2">
+<!ENTITY make-ca-version              "1.4">
 <!ENTITY mitkrb-major-version         "1.17">
 <!ENTITY mitkrb-version               "1.17">
 <!ENTITY nettle-version               "3.4.1">

Modified: trunk/BOOK/postlfs/security/make-ca.xml
==============================================================================
--- trunk/BOOK/postlfs/security/make-ca.xml     Sat Apr 13 10:44:36 2019        
(r21456)
+++ trunk/BOOK/postlfs/security/make-ca.xml     Sat Apr 13 13:06:50 2019        
(r21457)
@@ -11,7 +11,7 @@
 
   <!ENTITY make-ca-download      
"https://github.com/djlucas/make-ca/releases/download/v&make-ca-version;/make-ca-&make-ca-version;.tar.xz";>
   <!ENTITY make-ca-size          "28 KB">
-  <!ENTITY make-ca-md5sum        "5b68cf77b02d5681f8419b8acfd139c0">
+  <!ENTITY make-ca-md5sum        "995896ca8b4ee1f92a4a8fa46585d59d">
 ]>
 
 <sect1 id="make-ca" xreflabel="make-ca-&make-ca-version;">
@@ -103,13 +103,18 @@
     on the system). Any local certificates stored in
     <filename>/etc/ssl/local</filename> will be imported to both the trust
     anchors and the generated certificate stores (overriding Mozilla's
-    trust).</para>
+    trust). Additionally, any modified trust values will be copied from the
+    trust anchors to <filename>/etc/ssl/local</filename> prior to any updates,
+    preserving custom trust values that differ from Mozilla when using the
+    <command>trust</command> utility from <application>p11-kit</application>
+    to operate on the trust store.</para>
 
     <para>To install the various certificate stores, first install the
     <application>make-ca</application> script into the correct location.
     As the <systemitem class="username">root</systemitem> user:</para>
 
-<screen role="root"><userinput>make install</userinput></screen>
+<screen role="root"><userinput>make install &amp;&amp;
+install -vdm755 /etc/ssl/local</userinput></screen>
 
    <para>As the <systemitem class="username">root</systemitem> user, after
    installing <xref linkend="p11-kit"/>, download the certificate source and
@@ -135,7 +140,7 @@
 <screen role="nodump"><userinput>ln -sfv /etc/pki/tls/certs/ca-bundle.crt \
         /etc/ssl/ca-bundle.crt</userinput></screen>
 
-    <para>You should periodically update the store with the above command
+    <para>You should periodically update the store with the above command,
     either manually, or via a <phrase revision="sysv">cron job.</phrase>
     <phrase revision="systemd">systemd timer. A timer is installed at
     <filename>/usr/lib/systemd/system/update-pki.timer</filename> that, if
@@ -214,15 +219,15 @@
     <systemitem class="username">root</systemitem> user after
     <xref linkend="wget"/> is installed):</para>
 
-<screen role="nodump"><userinput>install -vdm755 /etc/ssl/local &amp;&amp;
-wget http://www.cacert.org/certs/root.crt &amp;&amp;
+<screen role="nodump"><userinput>wget http://www.cacert.org/certs/root.crt 
&amp;&amp;
 wget http://www.cacert.org/certs/class3.crt &amp;&amp;
 openssl x509 -in root.crt -text -fingerprint -setalias "CAcert Class 1 root" \
         -addtrust serverAuth -addtrust emailProtection -addtrust codeSigning \
         > /etc/ssl/local/CAcert_Class_1_root.pem &amp;&amp;
 openssl x509 -in class3.crt -text -fingerprint -setalias "CAcert Class 3 root" 
\
         -addtrust serverAuth -addtrust emailProtection -addtrust codeSigning \
-        > /etc/ssl/local/CAcert_Class_3_root.pem</userinput></screen>
+        > /etc/ssl/local/CAcert_Class_3_root.pem &amp;&amp;
+/usr/sbin/make-ca -r -f</userinput></screen>
 
     <bridgehead renderas="sect3">Overriding Mozilla Trust</bridgehead>
 
@@ -234,8 +239,7 @@
     arguments. For example, if you'd like to distrust the "Makebelieve_CA_Root"
     file, run the following commands:</para>
 
-<screen role="nodump"><userinput>install -vdm755 /etc/ssl/local &amp;&amp;
-openssl x509 -in /etc/ssl/certs/Makebelieve_CA_Root.pem \
+<screen role="nodump"><userinput>openssl x509 -in 
/etc/ssl/certs/Makebelieve_CA_Root.pem \
              -text \
              -fingerprint 
              -setalias "Disabled Makebelieve CA Root" \

Modified: trunk/BOOK/postlfs/security/p11-kit.xml
==============================================================================
--- trunk/BOOK/postlfs/security/p11-kit.xml     Sat Apr 13 10:44:36 2019        
(r21456)
+++ trunk/BOOK/postlfs/security/p11-kit.xml     Sat Apr 13 13:06:50 2019        
(r21457)
@@ -228,10 +228,13 @@
           <para>
             is a command line tool to both extract local certificates from an
             upadated anchor store, and regenerate all anchors and certificate
-            stores on the system.
+           stores on the system. This is done unconditionally on BLFS using
+            the <parameter>--force</parameter> and <parameter>--get</parameter>
+            flags to <command>make-ca</command> and should likely not be used
+            for automated updates.
           </para>
           <indexterm zone="p11-kit update-ca-certificates">
-            <primary sortas="b-trust">update-ca-certificates</primary>
+            <primary 
sortas="b-update-ca-certificates">update-ca-certificates</primary>
           </indexterm>
         </listitem>
       </varlistentry>
-- 
http://lists.linuxfromscratch.org/listinfo/blfs-book
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page

[blfs-book] r21457 - in trunk/BOOK: . introduction/welcome postlfs/security

Reply via email to