8.109.4. Contents
Installed Programs:
make-ca
Installed Directories:
/etc/ssl/{certs,local} and
/etc/pki/{nssdb,anchors,tls/{certs,java}}
8.109.1. Introduction to make-ca
Public Key Infrastructure (PKI) is a method to validate the authenticity of an otherwise unknown entity across untrusted networks. PKI works by establishing a chain of trust, rather than trusting each individual host or entity explicitly. In order for a certificate presented by a remote entity to be trusted, that certificate must present a complete chain of certificates that can be validated using the root certificate of a Certificate Authority (CA) that is trusted by the local machine.
Establishing trust with a CA involves validating things like company address, ownership, contact information, etc., and ensuring that the CA has followed best practices, such as undergoing periodic security audits by independent investigators and maintaining an always available certificate revocation list. This is well outside the scope of BLFS (as it is for most Linux distributions). The certificate store provided here is taken from the Mozilla Foundation, who have established very strict inclusion policies described here.
Approximate build time:
0.1 SBU
Required disk space:
6.6 MB
8.109.2. Installation of make-ca
The make-ca script will download
and process the certificates included in the certdata.txt file for use as trust anchors for
the p11-kit trust module. Additionally, it will generate system
certificate stores used by BLFS applications (if the recommended
and optional applications are present on the system). Any local
certificates stored in /etc/ssl/local
will be imported to both the trust anchors and the generated
certificate stores (overriding Mozilla's trust). Additionally, any
modified trust values will be copied from the trust anchors to
/etc/ssl/local prior to any updates,
preserving custom trust values that differ from Mozilla when using
the trust utility
from p11-kit to operate on the
trust store.
To install the various certificate stores, first install the
make-ca script into the correct
location. As the root user:
Create the PKGBUILD for the make-ca package with the following commands:
mkdir /sources/make-ca
cd /sources/make-ca
cat > PKGBUILD << "REALEOF"
# Maintainer: Linux From Scratch <lfs-dev@lists.linuxfromscratch.org>
pkgname="make-ca"
pkgver="1.10"
pkgrel="1"
pkgdesc="The make-ca script generates system certificate stores."
arch=('any')
url="https://github.com/djlucas/make-ca/"
license=('MIT'
'GPLv3')
groups=('core')
install="make-ca.install"
depends=('bash'
'coreutils'
'diffutils'
'gawk'
'grep'
'openssl'
'p11-kit'
'sed')
makedepends=('make')
optdepends=('nss: to generate a shared NSSDB')
source=('https://github.com/lfs-book/make-ca/releases/download/v1.10/make-ca-1.10.tar.xz')
md5sums=('74f1ad16d7a086ac76e0424fd4dfe67b')
package(){
cd "${pkgname}-${pkgver}"
make DESTDIR="${pkgdir}" install
install -vdm755 "${pkgdir}/etc/ssl/local"
rm -r "${pkgdir}/usr/lib/systemd"
# Install a weekly cron script to update the ca-certificates automatically
install -vdm755 "${pkgdir}/etc/cron.weekly/"
cat > "${pkgdir}/etc/cron.weekly/update-pki.sh" << "EOF"
#!/bin/bash
/usr/sbin/make-ca -g
EOF
chmod 754 "${pkgdir}/etc/cron.weekly/update-pki.sh"
}
REALEOF
Create the install script for make-ca that will automatically run make-ca on install or upgrade:
cat > make-ca.install << "REALEOF"
# make-ca.install
post_install(){
/usr/bin/make-ca -g
}
post_upgrade(){
/usr/bin/make-ca -g
}
REALEOF
Prepare the build directory for the pacman user and build the package:
chown -R root:pacman . chmod 2775 . chmod 664 PKGBUILD su pacman -c 'makepkg -L --nodeps'
Add the newly created package to the central package repository:
cp make-ca-1.10-1-any.pkg.tar.xz \
/srv/pacman/repos/LFS/
repo-add /srv/pacman/repos/LFS/LFS.db.tar.xz \
/srv/pacman/repos/LFS/make-ca-1.10-1-any.pkg.tar.xz
Update the local cache and install the make-ca package:
pacman -Syu pacman -S make-ca --overwrite \* -dd --noconfirm
Finally, copy the source files into the source repository and clean up the build directory:
mkdir /srv/pacman/source/LFS/make-ca cp PKGBUILD /srv/pacman/source/LFS/make-ca cd /sources rm -rf make-ca
![[Note]](../images/note.png)
Note
If running the script a second time with the same version of
certdata.txt, for instance, to add
additional stores as the requisite software is installed, add the
-r switch to the command
line. If packaging, run make-ca
--help to see all available command line options.
8.109.3. Configuring make-ca
For most users, no additional configuration is necessary, however,
the default certdata.txt file
provided by make-ca is obtained from the mozilla-release branch,
and is modified to provide a Mercurial revision. This will be the
correct version for most systems. There are several other variants
of the file available for use that might be preferred for one
reason or another, including the files shipped with Mozilla
products in this book. RedHat and OpenSUSE, for instance, use the
version included in nss. Additional upstream downloads are
available at the links included in /etc/make-ca.conf.dist. Simply copy the file to
/etc/make-ca.conf and edit as
appropriate.
About Trust Arguments
There are three trust types that are recognized by the make-ca script, SSL/TLS, S/Mime, and code
signing. For OpenSSL, these are
serverAuth, emailProtection, and codeSigning respectively. If one of
the three trust arguments is omitted, the certificate is neither
trusted, nor rejected for that role. Clients that use OpenSSL or NSS encountering this certificate will present
a warning to the user. Clients using GnuTLS without p11-kit support are not aware of trusted
certificates. To include this CA into the ca-bundle.crt, email-ca-bundle.crt, or objsign-ca-bundle.crt files (the GnuTLS legacy bundles), it must have the
appropriate trust arguments.
Adding Additional CA Certificates
The /etc/ssl/local directory is
available to add additional CA certificates to the system. For
instance, you might need to add an organization or government CA
certificate. Files in this directory must be in the OpenSSL trusted certificate format. To create
an OpenSSL trusted certificate
from a regular PEM encoded file, you need to add trust arguments to
the openssl command,
and create a new certificate. For example, using the CAcert roots, if you want
to trust both for all three roles, the following commands will
create appropriate OpenSSL trusted certificates (run as the
root user after wget is installed):
wget http://www.cacert.org/certs/root.crt &&
wget http://www.cacert.org/certs/class3.crt &&
openssl x509 -in root.crt -text -fingerprint -setalias "CAcert Class 1 root" \
-addtrust serverAuth -addtrust emailProtection -addtrust codeSigning \
> /etc/ssl/local/CAcert_Class_1_root.pem &&
openssl x509 -in class3.crt -text -fingerprint -setalias "CAcert Class 3 root" \
-addtrust serverAuth -addtrust emailProtection -addtrust codeSigning \
> /etc/ssl/local/CAcert_Class_3_root.pem &&
/usr/sbin/make-ca -r -f
Overriding Mozilla Trust
Occasionally, there may be instances where you don't agree with
Mozilla's inclusion of a particular certificate authority. If you'd
like to override the default trust of a particular CA, simply
create a copy of the existing certificate in /etc/ssl/local with different trust arguments.
For example, if you'd like to distrust the "Makebelieve_CA_Root"
file, run the following commands:
openssl x509 -in /etc/ssl/certs/Makebelieve_CA_Root.pem \
-text \
-fingerprint \
-setalias "Disabled Makebelieve CA Root" \
-addreject serverAuth \
-addreject emailProtection \
-addreject codeSigning \
> /etc/ssl/local/Disabled_Makebelieve_CA_Root.pem &&
/usr/sbin/make-ca -r -f