Author: dj
Date: Fri Oct 6 20:31:58 2017
New Revision: 19295
Log:
Update to make-ca-0.5.
Modified:
trunk/BOOK/general.ent
trunk/BOOK/general/prog/openjdk.xml
trunk/BOOK/introduction/welcome/changelog.xml
trunk/BOOK/packages.ent
trunk/BOOK/postlfs/security/cacerts.xml
trunk/BOOK/postlfs/security/nss.xml
Modified: trunk/BOOK/general.ent
==============================================================================
--- trunk/BOOK/general.ent Fri Oct 6 19:35:56 2017 (r19294)
+++ trunk/BOOK/general.ent Fri Oct 6 20:31:58 2017 (r19295)
@@ -1,12 +1,12 @@
<!-- $LastChangedBy$ $Date$ -->
-<!ENTITY day "06"> <!-- Always 2 digits -->
+<!ENTITY day "07"> <!-- Always 2 digits -->
<!ENTITY month "10"> <!-- Always 2 digits -->
<!ENTITY year "2017">
<!ENTITY copyrightdate "2001-&year;">
<!ENTITY copyholder "The BLFS Development Team">
<!ENTITY version "&year;-&month;-&day;">
-<!ENTITY releasedate "October 6th, &year;">
+<!ENTITY releasedate "October 7th, &year;">
<!ENTITY pubdate "&year;-&month;-&day;"> <!-- metadata req. by TLDP -->
<!ENTITY blfs-version "svn"> <!-- svn|[release #] -->
<!ENTITY lfs-version "development"> <!-- x.y|development -->
Modified: trunk/BOOK/general/prog/openjdk.xml
==============================================================================
--- trunk/BOOK/general/prog/openjdk.xml Fri Oct 6 19:35:56 2017 (r19294)
+++ trunk/BOOK/general/prog/openjdk.xml Fri Oct 6 20:31:58 2017 (r19295)
@@ -510,8 +510,9 @@
<option>--with-cacerts-file=...</option>: Specifies where to find a
<filename>cacerts</filename> file, <filename class="directory">
/etc/ssl/java/cacerts</filename> on a BLFS system. Otherwise, an empty
- one is created. You can use the <command>make-ca.sh --force</command>
- command to generate it, once you have installed the Java binaries.
+ one is created. You can use the
+ <command>/usr/sbin/make-ca --force</command> command to generate it, once
+ you have installed the Java binaries.
</para>
<para>
Modified: trunk/BOOK/introduction/welcome/changelog.xml
==============================================================================
--- trunk/BOOK/introduction/welcome/changelog.xml Fri Oct 6 19:35:56
2017 (r19294)
+++ trunk/BOOK/introduction/welcome/changelog.xml Fri Oct 6 20:31:58
2017 (r19295)
@@ -42,6 +42,15 @@
</listitem>
-->
<listitem>
+ <para>October 7th, 2017</para>
+ <itemizedlist>
+ <listitem>
+ <para>[dj] - Update to make-ca-0.5.</para>
+ </listitem>
+ </itemizedlist>
+ </listitem>
+
+ <listitem>
<para>Octobber 6th, 2017</para>
<itemizedlist>
<listitem>
Modified: trunk/BOOK/packages.ent
==============================================================================
--- trunk/BOOK/packages.ent Fri Oct 6 19:35:56 2017 (r19294)
+++ trunk/BOOK/packages.ent Fri Oct 6 20:31:58 2017 (r19295)
@@ -24,7 +24,7 @@
<!ENTITY linux-pam-version "1.3.0">
<!ENTITY linux-pam-docs-version "1.2.0">
<!ENTITY libpwquality-version "1.4.0">
-<!ENTITY make-ca-version "20170514">
+<!ENTITY make-ca-version "0.5">
<!ENTITY mitkrb-major-version "1.15">
<!ENTITY mitkrb-version "1.15.2">
<!ENTITY nettle-version "3.3">
Modified: trunk/BOOK/postlfs/security/cacerts.xml
==============================================================================
--- trunk/BOOK/postlfs/security/cacerts.xml Fri Oct 6 19:35:56 2017
(r19294)
+++ trunk/BOOK/postlfs/security/cacerts.xml Fri Oct 6 20:31:58 2017
(r19295)
@@ -6,14 +6,12 @@
<!ENTITY certhost "https://hg.mozilla.org/";>
<!ENTITY certpath "/lib/ckfw/builtins/certdata.txt">
- <!ENTITY ca-bundle-download "&sources-anduin-http;/other/certdata.txt">
- <!ENTITY ca-bundle-size "1.6 MB">
<!ENTITY cacerts-buildsize "6.5 MB (with all runtime deps)">
<!ENTITY cacerts-time "0.2 SBU (with all runtime deps)">
- <!ENTITY make-ca-download
"&sources-anduin-http;/other/make-ca.sh-&make-ca-version;">
- <!ENTITY make-ca-size "24 KB">
- <!ENTITY make-ca-md5sum "a21a04d6ff5c4645c748220dbaa9f221">
+ <!ENTITY make-ca-download
"https://github.com/djlucas/make-ca/archive/v&make-ca-version;/make-ca-&make-ca-version;.tar.gz";>
+ <!ENTITY make-ca-size "32 KB">
+ <!ENTITY make-ca-md5sum "25033ded9dd0979226b8f3fd2792bd3a">
]>
<sect1 id="cacerts" xreflabel="Certificate Authority Certificates">
@@ -72,17 +70,6 @@
</listitem>
</itemizedlist>
-
- <bridgehead renderas="sect3">Additional Downloads</bridgehead>
- <itemizedlist spacing="compact">
- <listitem>
- <para>
- CA Certificates
- <ulink url="&ca-bundle-download;"/>
- </para>
- </listitem>
- </itemizedlist>
-
<bridgehead renderas="sect3">Certificate Authority Certificates
Dependencies</bridgehead>
<bridgehead renderas="sect4">Required</bridgehead>
@@ -103,30 +90,33 @@
<sect2 role="installation">
<title>Installation of Certificate Authority Certificates</title>
- <para>The <application>make-ca.sh</application> script will process the
- certificates included in the <filename>certdata.txt</filename> file
- for use in multiple certificate stores (if the associated applications are
- present on the system). Additionally, any local certificates stored in
+ <para>The <application>make-ca</application> script will download and
+ process the certificates included in the <filename>certdata.txt</filename>
+ file for use in multiple certificate stores (if the associated applications
+ are present on the system). Additionally, any local certificates stored in
<filename>/etc/ssl/local</filename> will be imported to the certificate
stores. Certificates in this directory should be stored as PEM encoded
<application>OpenSSL</application> trusted certificates.</para>
<para>To create an <application>OpenSSL</application> trusted certificate
- from a regular PEM encoded file, provided by a CA not included in Mozilla's
- certificate distribution, you need to add trust arguments to the
+ from a regular PEM encoded file, you need to add trust arguments to the
<command>openssl</command> command, and create a new certificate. There are
three trust types that are recognized by the
- <application>make-ca.sh</application> script, SSL/TLS, S/Mime, and code
+ <application>make-ca</application> script, SSL/TLS, S/Mime, and code
signing. For example, using the
- <ulink url="http://www.cacert.org/";>CAcert</ulink> root, if you want it to
- be trusted for all three roles, the following commands will create an
- appropriate OpenSSL trusted certificate:</para>
+ <ulink url="http://www.cacert.org/";>CAcert</ulink> roots, if you want to
+ trust both for all three roles, the following commands will create
+ appropriate OpenSSL trusted certificates:</para>
<screen role="root"><userinput>install -vdm755 /etc/ssl/local &&
wget http://www.cacert.org/certs/root.crt &&
+wget http://www.cacert.org/certs/class3.crt &&
openssl x509 -in root.crt -text -fingerprint -setalias "CAcert Class 1 root" \
-addtrust serverAuth -addtrust emailProtection -addtrust codeSigning \
- > /etc/ssl/local/CAcert_Class_1_root.pem</userinput></screen>
+ > /etc/ssl/local/CAcert_Class_1_root.pem &&
+openssl x509 -in class3.crt -text -fingerprint -setalias "CAcert Class 3 root"
\
+ -addtrust serverAuth -addtrust emailProtection -addtrust codeSigning \
+ > /etc/ssl/local/CAcert_Class_3_root.pem</userinput></screen>
<para>If one of the three trust arguments is omitted, the certificate is
neither trusted, nor rejected for that role. Clients that use
@@ -141,35 +131,33 @@
<parameter>-addreject</parameter> flag.</para>
<para>To install the various certificate stores, first install the
- <application>make-ca.sh</application> script into the correct location.
+ <application>make-ca</application> script into the correct location.
As the <systemitem class="username">root</systemitem> user:</para>
-<screen role="root"><userinput>install -vm755 make-ca.sh-&make-ca-version;
/usr/sbin/make-ca.sh</userinput></screen>
+<screen role="root"><userinput>make install</userinput></screen>
- <para>As the <systemitem class="username">root</systemitem> user, make sure
- that certdata.txt is in the current directory, and update the certificate
- stores with the following command:</para>
+ <para>As the <systemitem class="username">root</systemitem> user, download
+ and update the certificate stores with the following command:</para>
<note>
<para>If running the script a second time with the same version of
<filename>certdata.txt</filename>, for instance, to add additional stores
as the requisite software is installed, add the <parameter>-f</parameter>
- switch to the command line. If packaging, run <command>make-ca.sh
+ switch to the command line. If packaging, run <command>make-ca
--help</command> to see all available command line options.</para>
</note>
-<screen role="root"><userinput>/usr/sbin/make-ca.sh</userinput></screen>
+<screen role="root"><userinput>/usr/sbin/make-ca -g</userinput></screen>
- <para>You should periodically download a copy of
- <filename>certdata.txt</filename> and run the
- <application>make-ca.sh</application> script (as the
- <systemitem class="username">root</systemitem> user), or as part of a
- monthly <application>cron</application> job to ensure that you have the
- latest available version of the certificates.</para>
-
- <para>The <filename>certdata.txt</filename> file provided by BLFS is
- obtained from the mozilla-release branch, and is modified to provide a
- simple dated revision. This will be the correct version for most
+ <para>You should periodically update the store with the above command
+ either manually, or via a <phrase revision="sysv">cron job.</phrase>
+ <phrase revision="systemd">systemd timer. A timer is installed at
+ <filename>/etc/systemd/system/update-pki.timer</filename> that, if enabled,
+ will check for updates weekly.</phrase></para>
+
+ <para>The default <filename>certdata.txt</filename> file provided by
make-ca
+ is obtained from the mozilla-release branch, and is modified to provide a
+ Mercurial revision. This will be the correct version for most
systems. There are, however, several other variants of the file available
for use that might be preferred for one reason or another, including the
files shipped with Mozilla products in this book. RedHat and OpenSUSE,
@@ -215,7 +203,7 @@
<segtitle>Installed Directories</segtitle>
<seglistitem>
- <seg>make-ca.sh</seg>
+ <seg>make-ca</seg>
<seg>None</seg>
<seg>/etc/ssl/{certs,java,local} and /etc/pki/{nssdb,anchors}</seg>
</seglistitem>
@@ -227,7 +215,7 @@
<?dbhtml list-presentation="table"?>
<varlistentry id="make-ca">
- <term><command>make-ca.sh</command></term>
+ <term><command>make-ca</command></term>
<listitem>
<para>is a shell script that adapts a current version of
<filename>certdata.txt</filename>, and prepares it for use
Modified: trunk/BOOK/postlfs/security/nss.xml
==============================================================================
--- trunk/BOOK/postlfs/security/nss.xml Fri Oct 6 19:35:56 2017 (r19294)
+++ trunk/BOOK/postlfs/security/nss.xml Fri Oct 6 20:31:58 2017 (r19295)
@@ -228,7 +228,7 @@
<para>Additionally, for dependent applications that do not use the internal
database (<filename>/usr/lib/libnssckbi.so</filename>), the
- <filename>make-ca.sh</filename> script, included on the
+ <filename>/usr/sbin/make-ca</filename> script, included on the
<xref linkend="cacerts"/> page, will generate a system wide NSS DB.</para>
</sect2>
--
http://lists.linuxfromscratch.org/listinfo/blfs-book
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
