emo/make-ca
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update README

Browse Source
This commit is contained in:
DJ Lucas 2019-01-04 21:35:03 -06:00 committed by GitHub
parent 1f668ec233
commit a2b5c44153
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 22 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
README
View File

@ -8,8 +8,28 @@ build, but has been written to be generic enough for any Linux distribution.
The make-ca script will process the certificates included in the certdata.txt The make-ca script will process the certificates included in the certdata.txt
file for use in multiple certificate stores (if the associated applications are file for use in multiple certificate stores (if the associated applications are
present on the system). Additionally, any local certificates stored in present on the system). Additionally, any local certificates stored in
/etc/ssl/local will be imported to the certificate stores. Certificates in this /etc/ssl/local will be imported into the certificate stores. Certificates in
directory should be stored as PEM encoded OpenSSL trusted certificates. this directory should be stored as PEM encoded OpenSSL trusted certificates.
As of version 1.2, a p11-kit helper, copy-trust-modifications, is included
for use in p11-kit's trust-extract-compat script (which should be symlinked
to the user's path as update-ca-certificates). Manual creation of OpenSSL
trusted certificates is no longer needed. Instead, import the certificate
using p11-kit's trust utility, and recreate the individual stores using the
update-ca-certificates script. A copy of any modified anchors will be placed
into $LOCALDIR (in the correct format) by the p11-kit helper script.
For the p11-kit distro hook, remove the "not configured" and "exit 1" lines
from trust/trust-extract-compat.in, and append the following:
===============================================================================
# Copy existing modifications to local store
/usr/libexec/make-ca/copy-trust-modifications
# Generate a new trust store
/usr/sbin/make-ca -f -g
===============================================================================
The manual instructions below have been left for reference.
To create an OpenSSL trusted certificate from a regular PEM encoded file, To create an OpenSSL trusted certificate from a regular PEM encoded file,
provided by a CA not included in Mozilla's certificate distribution, you need provided by a CA not included in Mozilla's certificate distribution, you need
@ -36,17 +56,3 @@ particular use, replace the -addtrust flag with the -addreject flag.
Local trust overrides are handled entirely using the /etc/ssl/local directory. Local trust overrides are handled entirely using the /etc/ssl/local directory.
To override Mozilla's trust values, simply make a copy of the certificate in To override Mozilla's trust values, simply make a copy of the certificate in
the local directory with alternate trust values. the local directory with alternate trust values.
Additionally, for the p11-kit distro hook, remove the "not configured" and
"exit 1" lines from trust/trust-extract-compat.in, and add the following
commands:
===============================================================================
# Copy existing modifications to local store
/usr/libexec/make-ca/copy-trust-modifications
# Generate a new trust store
/usr/sbin/make-ca -f -g
EOF
===============================================================================