Public Key Infrastructure (PKI) is a method to validate the authenticity of an otherwise unknown entity across untrusted networks. PKI works by establishing a chain of trust, rather than trusting each individual host or entity explicitly. In order for a certificate presented by a remote entity to be trusted, that certificate must present a complete chain of certificates that can be validated using the root certificate of a Certificate Authority (CA) that is trusted by the local machine.
Establishing trust with a CA involves validating things like company address, ownership, contact information, etc., and ensuring that the CA has followed best practices, such as undergoing periodic security audits by independent investigators and maintaining an always available certificate revocation list. This is well outside the scope of BLFS (as it is for most Linux distributions). The certificate store provided here is taken from the Mozilla Foundation, who have established very strict inclusion policies described here.
This package is known to build and work properly using an LFS-8.0 platform.
Download (HTTP): http://anduin.linuxfromscratch.org/BLFS/other/make-ca.sh-20170119
Download size: 11 KB
Download MD5 Sum: cce9fa4713c4611d9e61f99de612a1e9
Estimated disk space required: 4.7 MB (with all runtime deps)
Estimated build time: 0.2 SBU (with all runtime deps)
CA Certificates http://anduin.linuxfromscratch.org/BLFS/other/certdata.txt
Java-1.8.0.121 or OpenJDK-1.8.0.121, and NSS-3.29
User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/cacerts
The make-ca.sh script will process
the certificates included in the certdata.txt file for use in multiple certificate
stores (if the associated applications are present on the system).
Additionally, any local certificates stored in /etc/ssl/local will be imported to the
certificate stores. Certificates in this directory should be stored
as PEM encoded OpenSSL trusted
certificates.
To create an OpenSSL trusted certificate from a regular PEM encoded file, provided by a CA not included in Mozilla's certificate distribution, you need to add trust arguments to the openssl command, and create a new certificate. There are three trust types that are recognised by the make-ca.sh script, SSL/TLS, S/Mime, and code signing. For example, to allow a certificate to be trusted for both SSL/TLS and S/Mime, but explicitly rejected for code signing, you could use the following commands to create a new trusted certificate that has those trust attributes:
openssl x509 -in MyRootCA.pem -text -fingerprint -setalias "My Root CA 1" \
-addtrust serverAuth -addtrust emailProtection -addreject codeSigning \
> MyRootCA-trusted.pem
If a trust argument is omitted, the certificate is neither trusted,
nor rejected. Clients that use OpenSSL or NSS encountering this certificate will present
a warning to the user. Clients using GnuTLS without p11-kit support are not aware of trusted
certificates. To include this CA into the ca-bundle.crt (used for
GnuTLS), it must have serverAuth trust.
To install the various certificate stores, first install the
make-ca.sh script into the correct
location. As the root user:
install -vm755 make-ca.sh-20170119 /usr/sbin/make-ca.sh
As the root user, make sure that
certdata.txt is in the current directory, and update the
certificate stores with the following command:
/usr/sbin/make-ca.sh
You should periodically download a copy of certdata.txt and run the make-ca.sh script (as the root user), or as part of a monthly
cron job to ensure that you have
the latest available version of the certificates.
![[Note]](../images/note.png)
If running the script a second time with the same version of
certdata.txt, for instance, to add
additional stores as the requisite software is installed, add the
-f switch to the command
line. If packaging, run make-ca.sh
--help to see all available command line options.
The certdata.txt file provided by
BLFS is obtained from the mozilla-release branch, and is modified
to provide a simple dated revision. This will be the correct
version for most systems. There are, however, several other
variants of the file available for use that might be preferred for
one reason or another, including the files shipped with Mozilla
products in this book. RedHat and OpenSUSE, for instance, use the
version included in NSS-3.29. Additional upstream downloads are
available at the links below.
Mozilla Release (the version provided by BLFS): https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt
NSS (this is the latest available version): https://hg.mozilla.org/projects/nss/raw-file/tip/lib/ckfw/builtins/certdata.txt
Mozilla Central: https://hg.mozilla.org/mozilla-central/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt
Mozilla Beta: https://hg.mozilla.org/releases/mozilla-beta/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt
Mozilla Aurora: https://hg.mozilla.org/releases/mozilla-aurora/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt
Last updated on 2017-02-14 22:04:32 -0800