README,include.h2m: Sync documentation and fix typos.

This commit is contained in:
DJ Lucas 2021-08-05 22:43:41 -05:00
parent 8baf93dc22
commit f7a8c9f2f3
2 changed files with 35 additions and 35 deletions

12
README
View File

@ -21,11 +21,9 @@ A p11-kit helper, copy-trust-modifications, is included for use in p11-kit's
trust-extract-compat script (which should be symlinked to the user's path as trust-extract-compat script (which should be symlinked to the user's path as
update-ca-certificates). Manual creation of OpenSSL Trusted certificates is no update-ca-certificates). Manual creation of OpenSSL Trusted certificates is no
longer required for general use. Instead, import the certificate using longer required for general use. Instead, import the certificate using
p11-kit's 'trust anchor --store /path/to/certificate.crt' functionality, p11-kit's 'trust anchor --store /path/to/certificate.crt' functionality.
which will recreate the individual stores assigning serverAuth permissions to This will recreate the individual stores assigning approriate permissions to
the added certificate. A copy of any newly added anchors will be placed the newly added anchor(s). Additionally, a copy of any newly added anchors will be placed into $LOCALDIR for future use.
into $LOCALDIR (in the correct format) by the p11-kit helper script, and the
individual stores will be recreated.
For the p11-kit distro hook, remove the "not configured" and "exit 1" lines For the p11-kit distro hook, remove the "not configured" and "exit 1" lines
from trust/trust-extract-compat, and append the following: from trust/trust-extract-compat, and append the following:
@ -34,7 +32,7 @@ from trust/trust-extract-compat, and append the following:
/usr/libexec/make-ca/copy-trust-modifications /usr/libexec/make-ca/copy-trust-modifications
# Generate a new trust store # Generate a new trust store
/usr/sbin/make-ca -f -g /usr/sbin/make-ca -r
=============================================================================== ===============================================================================
If you wish to distribute the results of this script as a standalone package, If you wish to distribute the results of this script as a standalone package,
@ -47,7 +45,7 @@ local directory, and to provide the written policy in the distributed package.
While the p11-kit trust utility can be used in most simple cases, you may While the p11-kit trust utility can be used in most simple cases, you may
require additional trust arguments for certian certificates. In these cases, require additional trust arguments for certian certificates. In these cases,
you will need to manually create an OpenSSL trusted certificate from a regular you will need to manually create an OpenSSL trusted certificate from a regular
PEM encoded file (use -inform for der or pkcs7 encoded certs).There are three PEM encoded file (use -inform for der or pkcs7 encoded certs). There are three
trust types that are recognized by the make-ca.sh script, SSL/TLS, S/Mime, and trust types that are recognized by the make-ca.sh script, SSL/TLS, S/Mime, and
code signing. For example, using the CAcert root, if you want it to be trusted code signing. For example, using the CAcert root, if you want it to be trusted
for all three roles, the following commands will create an appropriate OpenSSL for all three roles, the following commands will create an appropriate OpenSSL

View File

@ -3,31 +3,33 @@ make-ca -g
[EXAMPLES] [EXAMPLES]
The make-ca script will process the certificates included in the certdata.txt The make-ca script will process the certificates included in the certdata.txt
file for use in multiple certificate stores (if the required prerequisites are file, and place them in the system trust anchors, for use in multiple
present on the system). Additionally, any local certificates stored in certificate stores. Additionally, any local OpenSSL Trusted certificates
/etc/ssl/local will be imported to the certificate stores. Certificates in this stored in /etc/ssl/local will also be imported into the system trust anchors
directory should be stored as PEM encoded OpenSSL trusted certificates. and certificate stores making it a full trust management utiltiy.
The make-ca script depends on OpenSSL-1.1.0, P11-Kit-0.23, and optionally, The make-ca script depends on OpenSSL >= 1.1.0, P11-Kit >= 0.23.19, and
NSS-3.23 (for the MozTrust exetension). Additionally, Coreutils, gawk, and sed optionally NSS >= 3.23 and Java >= 1.7. Additionally, Coreutils, gawk, and
are used. The default locations for output files can be tailored for your sed are used. The default locations for output files can be tailored for
environment via the /etc/make-ca.conf configuration file. your environment via the /etc/make-ca.conf configuration file.
As of version 1.2, a p11-kit helper, copy-trust-modifications, is included A p11-kit helper, copy-trust-modifications, is included for use in p11-kit's
for use in p11-kit's trust-extract-compat script. Manual creation of OpenSSL trust-extract-compat script (which should be symlinked to the user's path as
trusted certificates is no longer needed. Instead, import the certificate update-ca-certificates). Manual creation of OpenSSL Trusted certificates is no
using p11-kit's trust utility, and recreate the individual stores using the longer required for general use. Instead, import the certificate using
update-ca-certificates script. A copy of any modified anchors will be placed p11-kit's 'trust anchor --store /path/to/certificate.crt' functionality.
into $LOCALDIR (in the correct format) by the p11-kit helper script. The old This will recreate the individual stores assigning approriate permissions to
method is left for reference: the newly added anchor(s). Additionally, a copy of any newly added anchors will
be placed into $LOCALDIR for future use.
To create an OpenSSL trusted certificate from a regular PEM encoded file, While the p11-kit trust utility can be used in most simple cases, you may
provided by a CA not included in Mozilla's certificate distribution, you need require additional trust arguments for certian certificates. In these cases,
to add trust arguments to the openssl command, and create a new certificate. you will need to manually create an OpenSSL trusted certificate from a regular
There are three trust types that are recognized by the make-ca.sh script, PEM encoded file (use -inform for der or pkcs7 encoded certs). There are three
SSL/TLS, S/Mime, and code signing. For example, using the CAcert root, if you trust types that are recognized by the make-ca.sh script, SSL/TLS, S/Mime, and
want it to be trusted for all three roles, the following commands will create code signing. For example, using the CAcert root, if you want it to be trusted
an appropriate OpenSSL trusted certificate: for all three roles, the following commands will create an appropriate OpenSSL
Trusted certificate:
#\ install -vdm755 /etc/ssl/local \ #\ install -vdm755 /etc/ssl/local \
#\ wget http://www.cacert.org/certs/root.crt \ #\ wget http://www.cacert.org/certs/root.crt \
@ -39,12 +41,12 @@ an appropriate OpenSSL trusted certificate:
> /etc/ssl/local/CAcert_Class_1_root.pem > /etc/ssl/local/CAcert_Class_1_root.pem
If one of the three trust arguments is omitted, the certificate is neither If one of the three trust arguments is omitted, the certificate is neither
trusted, nor rejected for that role. Clients that use OpenSSL or NSS trusted, nor rejected for that role. Clients using GnuTLS without p11-kit
encountering this certificate will present a warning to the user. Clients using support are not aware of trusted certificates. To include this CA into the
GnuTLS without p11-kit support are not aware of trusted certificates. To ca-bundle.crt (used for GnuTLS linked applications not using the p11-module),
include this CA into the ca-bundle.crt (used for GnuTLS), it must have it must have serverAuth trust. Additionally, to explicitly disallow a
serverAuth trust. Additionally, to explicitly disallow a certificate for a certificate for a particular use, replace the -addtrust flag with the
particular use, replace the -addtrust flag with the -addreject flag. -addreject flag.
Local trust overrides are handled entirely using the /etc/ssl/local directory. Local trust overrides are handled entirely using the /etc/ssl/local directory.
To override Mozilla's trust values, simply make a copy of the certificate in To override Mozilla's trust values, simply make a copy of the certificate in