Certificate Authority Certificates

Public Key Infrastructure (PKI) is a method to validate the authenticity of an otherwise unknown entity across untrusted networks. PKI works by establishing a chain of trust, rather than trusting each individual host or entity explicitly. In order for a certificate presented by a remote entity to be trusted, that certificate must present a complete chain of certificates that can be validated using the root certificate of a Certificate Authority (CA) that is trusted by the local machine.

Establishing trust with a CA involves validating things like company address, ownership, contact information, etc., and ensuring that the CA has followed best practices, such as undergoing periodic security audits by independent investigators and maintaining an always available certificate revocation list. This is well outside the scope of BLFS (as it is for most Linux distributions). The certificate store provided here is taken from the Mozilla Foundation, who have established very strict inclusion policies described here.

This package is known to build and work properly using an LFS-8.1 platform.

Introduction to Certificate Authorities

Package Information

Certificate Authority Certificates Dependencies

Required

OpenSSL-1.1.0g

Optional (runtime)

Java-1.8.0.141 or OpenJDK-1.8.0.141, NSS-3.34.1, and p11-kit-0.23.9

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/cacerts

Installation of Certificate Authority Certificates

The make-ca script will download and process the certificates included in the certdata.txt file for use in multiple certificate stores (if the associated applications are present on the system). Additionally, any local certificates stored in /etc/ssl/local will be imported to the certificate stores. Certificates in this directory should be stored as PEM encoded OpenSSL trusted certificates.

To create an OpenSSL trusted certificate from a regular PEM encoded file, you need to add trust arguments to the openssl command, and create a new certificate. There are three trust types that are recognized by the make-ca script, SSL/TLS, S/Mime, and code signing. For example, using the CAcert roots, if you want to trust both for all three roles, the following commands will create appropriate OpenSSL trusted certificates:

install -vdm755 /etc/ssl/local &&
wget http://www.cacert.org/certs/root.crt &&
wget http://www.cacert.org/certs/class3.crt &&
openssl x509 -in root.crt -text -fingerprint -setalias "CAcert Class 1 root" \
        -addtrust serverAuth -addtrust emailProtection -addtrust codeSigning \
        > /etc/ssl/local/CAcert_Class_1_root.pem &&
openssl x509 -in class3.crt -text -fingerprint -setalias "CAcert Class 3 root" \
        -addtrust serverAuth -addtrust emailProtection -addtrust codeSigning \
        > /etc/ssl/local/CAcert_Class_3_root.pem

If one of the three trust arguments is omitted, the certificate is neither trusted, nor rejected for that role. Clients that use OpenSSL or NSS encountering this certificate will present a warning to the user. Clients using GnuTLS without p11-kit support are not aware of trusted certificates. To include this CA into the ca-bundle.crt (used for GnuTLS), it must have serverAuth trust. Additionally, to explicitly disallow a certificate for a particular use, replace the -addtrust flag with the -addreject flag.

To install the various certificate stores, first install the make-ca script into the correct location. As the root user:

make install

As the root user, download and update the certificate stores with the following command:

[Note]

Note

If running the script a second time with the same version of certdata.txt, for instance, to add additional stores as the requisite software is installed, add the -f switch to the command line. If packaging, run make-ca --help to see all available command line options.

/usr/sbin/make-ca -g

You should periodically update the store with the above command either manually, or via a systemd timer. A timer is installed at /etc/systemd/system/update-pki.timer that, if enabled, will check for updates weekly.

The default certdata.txt file provided by make-ca is obtained from the mozilla-release branch, and is modified to provide a Mercurial revision. This will be the correct version for most systems. There are, however, several other variants of the file available for use that might be preferred for one reason or another, including the files shipped with Mozilla products in this book. RedHat and OpenSUSE, for instance, use the version included in NSS-3.34.1. Additional upstream downloads are available at the links below.

Contents

Installed Programs: make-ca
Installed Libraries: None
Installed Directories: /etc/ssl/{certs,java,local} and /etc/pki/{nssdb,anchors}

Short Descriptions

make-ca

is a shell script that adapts a current version of certdata.txt, and prepares it for use as the system certificate store.

Last updated on 2017-10-15 20:42:33 -0500