Public Key Infrastructure (PKI) is a method to validate the authenticity of an otherwise unknown entity across untrusted networks. PKI works by establishing a chain of trust, rather than trusting each individual host or entity explicitly. In order for a certificate presented by a remote entity to be trusted, that certificate must present a complete chain of certificates that can be validated using the root certificate of a Certificate Authority (CA) that is trusted by the local machine.
Establishing trust with a CA involves validating things like company address, ownership, contact information, etc., and ensuring that the CA has followed best practices, such as undergoing periodic security audits by independent investigators and maintaining an always available certificate revocation list. This is well outside the scope of BLFS (as it is for most Linux distributions). The certificate store provided here is taken from the Mozilla Foundation, who have established very strict inclusion policies described here.
This package is known to build and work properly using an LFS-8.4 platform.
Download (HTTP): https://github.com/djlucas/make-ca/releases/download/v1.2/make-ca-1.2.tar.xz
Download size: 28 KB
Download MD5 Sum: 5b68cf77b02d5681f8419b8acfd139c0
Estimated disk space required: 6.6 MB (with all runtime deps)
Estimated build time: 0.1 SBU (with all runtime deps)
p11-kit-0.23.15 (required at runtime to generate certificate stores from trust anchors)
Java-11.0.2 or OpenJDK-11.0.2 (to generate a java PKCS#12 store), and NSS-3.42.1 (to generate a shared NSSDB)
User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/make-ca
The make-ca script will download
and process the certificates included in the certdata.txt
file for use as trust anchors for
the p11-kit-0.23.15 trust module. Additionally,
it will generate system certificate stores used by BLFS
applications (if the recommended and optional applications are
present on the system). Any local certificates stored in
/etc/ssl/local
will be imported to
both the trust anchors and the generated certificate stores
(overriding Mozilla's trust). Certificates in this directory should
be stored as PEM encoded OpenSSL
trusted certificates.
To create an OpenSSL trusted
certificate from a regular PEM encoded file, you need to add trust
arguments to the openssl command, and create a new
certificate. There are three trust types that are recognized by the
make-ca script, SSL/TLS, S/Mime,
and code signing. For example, using the CAcert roots, if you want to trust
both for all three roles, the following commands will create
appropriate OpenSSL trusted certificates (run as the root
user after Wget-1.20.1 is
installed):
install -vdm755 /etc/ssl/local && wget http://www.cacert.org/certs/root.crt && wget http://www.cacert.org/certs/class3.crt && openssl x509 -in root.crt -text -fingerprint -setalias "CAcert Class 1 root" \ -addtrust serverAuth -addtrust emailProtection -addtrust codeSigning \ > /etc/ssl/local/CAcert_Class_1_root.pem && openssl x509 -in class3.crt -text -fingerprint -setalias "CAcert Class 3 root" \ -addtrust serverAuth -addtrust emailProtection -addtrust codeSigning \ > /etc/ssl/local/CAcert_Class_3_root.pem
If one of the three trust arguments is omitted, the certificate is
neither trusted, nor rejected for that role. Clients that use
OpenSSL or NSS encountering this certificate will present
a warning to the user. Clients using GnuTLS without p11-kit support are not aware of trusted
certificates. To include this CA into the ca-bundle.crt (used for
GnuTLS), it must have serverAuth
trust. Additionally, to explicitly
disallow a certificate for a particular use, replace the -addtrust
flag with the -addreject
flag.
To install the various certificate stores, first install the
make-ca script into the correct
location. As the root
user:
make install
As the root
user, after installing
p11-kit-0.23.15, download the certificate
source and prepare for system use with the following command:
If running the script a second time with the same version of
certdata.txt
, for instance, to add
additional stores as the requisite software is installed, add the
-r
switch to the command
line. If packaging, run make-ca
--help to see all available command line options.
/usr/sbin/make-ca -g
Previous versions of BLFS used the path /etc/ssl/ca-bundle.crt
for the GnuTLS-3.6.6
certificate store. If software is still installed that references
this file, create a compatibilty symlink for the old location as
the root
user:
ln -sfv /etc/pki/tls/certs/ca-bundle.crt \ /etc/ssl/ca-bundle.crt
You should periodically update the store with the above command
either manually, or via a cron job. If you've
installed Fcron-3.2.1 and completed the section on periodic
jobs, execute the following commands, as the root
user, to create a weekly cron
job:
install -vdm755 /etc/cron.weekly &&
cat > /etc/cron.weekly/update-pki.sh << "EOF" &&
#!/bin/bash
/usr/sbin/make-ca -g
EOF
chmod 754 /etc/cron.weekly/update-pki.sh
Genearally, no configuration is necessary on an LFS system,
however, the default certdata.txt
file provided by make-ca is obtained from the mozilla-release
branch, and is modified to provide a Mercurial revision. This will
be the correct version for most systems. There are several other
variants of the file available for use that might be preferred for
one reason or another, including the files shipped with Mozilla
products in this book. RedHat and OpenSUSE, for instance, use the
version included in NSS-3.42.1. Additional upstream downloads are
available at the links included in /etc/make-ca.conf.dist
. Simply copy the file to
/etc/make-ca.conf
and edit as
appropriate.
Last updated on 2019-02-15 13:28:28 -0600