linux-from-scratch/glfs
1
0
Fork 0
mirror of https://github.com/Zeckmathederg/glfs.git synced 2025-01-24 06:52:14 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

Update to make-ca-1.4.

Browse Source 
git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@21457 af4574ff-66df-0310-9fd7-8a98e5e911e0
This commit is contained in:
DJ Lucas 2019-04-13 20:06:50 +00:00
parent 35c1879413
commit 254e3bf842
5 changed files with 30 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
general.ent
View File

@ -1,12 +1,12 @@
<!-- $LastChangedBy$ $Date$ -->
<!ENTITY day "11"> <!-- Always 2 digits -->
<!ENTITY day "13"> <!-- Always 2 digits -->
<!ENTITY month "04"> <!-- Always 2 digits -->
<!ENTITY year "2019">
<!ENTITY copyrightdate "2001-&year;">
<!ENTITY copyholder "The BLFS Development Team">
<!ENTITY version "&year;-&month;-&day;">
<!ENTITY releasedate "April 11th, &year;">
<!ENTITY releasedate "April 13th, &year;">
<!ENTITY pubdate "&year;-&month;-&day;"> <!-- metadata req. by TLDP -->
<!ENTITY blfs-version "svn"> <!-- svn|[release #] -->
<!ENTITY lfs-version "development"> <!-- x.y|development -->

9
introduction/welcome/changelog.xml
View File

@ -41,6 +41,15 @@
</itemizedlist>
</listitem>
-->
<listitem>
<para>April 13th, 2019</para>
<itemizedlist>
<listitem>
<para>[dj] - Update to make-ca-1.4.</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para>April 11th, 2019</para>
<itemizedlist>

2
packages.ent
View File

@ -24,7 +24,7 @@
<!ENTITY linux-pam-version "1.3.0">
<!ENTITY linux-pam-docs-version "1.2.0">
<!ENTITY libpwquality-version "1.4.0">
<!ENTITY make-ca-version "1.2">
<!ENTITY make-ca-version "1.4">
<!ENTITY mitkrb-major-version "1.17">
<!ENTITY mitkrb-version "1.17">
<!ENTITY nettle-version "3.4.1">

22
postlfs/security/make-ca.xml
View File

@ -11,7 +11,7 @@
<!ENTITY make-ca-download "https://github.com/djlucas/make-ca/releases/download/v&make-ca-version;/make-ca-&make-ca-version;.tar.xz">
<!ENTITY make-ca-size "28 KB">
<!ENTITY make-ca-md5sum "5b68cf77b02d5681f8419b8acfd139c0">
<!ENTITY make-ca-md5sum "995896ca8b4ee1f92a4a8fa46585d59d">
]>
<sect1 id="make-ca" xreflabel="make-ca-&make-ca-version;">
@ -103,13 +103,18 @@
on the system). Any local certificates stored in
<filename>/etc/ssl/local</filename> will be imported to both the trust
anchors and the generated certificate stores (overriding Mozilla's
trust).</para>
trust). Additionally, any modified trust values will be copied from the
trust anchors to <filename>/etc/ssl/local</filename> prior to any updates,
preserving custom trust values that differ from Mozilla when using the
<command>trust</command> utility from <application>p11-kit</application>
to operate on the trust store.</para>
<para>To install the various certificate stores, first install the
<application>make-ca</application> script into the correct location.
As the <systemitem class="username">root</systemitem> user:</para>
<screen role="root"><userinput>make install</userinput></screen>
<screen role="root"><userinput>make install &amp;&amp;
install -vdm755 /etc/ssl/local</userinput></screen>
<para>As the <systemitem class="username">root</systemitem> user, after
installing <xref linkend="p11-kit"/>, download the certificate source and
@ -135,7 +140,7 @@
<screen role="nodump"><userinput>ln -sfv /etc/pki/tls/certs/ca-bundle.crt \
/etc/ssl/ca-bundle.crt</userinput></screen>
<para>You should periodically update the store with the above command
<para>You should periodically update the store with the above command,
either manually, or via a <phrase revision="sysv">cron job.</phrase>
<phrase revision="systemd">systemd timer. A timer is installed at
<filename>/usr/lib/systemd/system/update-pki.timer</filename> that, if
@ -214,15 +219,15 @@ chmod 754 /etc/cron.weekly/update-pki.sh</userinput></screen>
<systemitem class="username">root</systemitem> user after
<xref linkend="wget"/> is installed):</para>
<screen role="nodump"><userinput>install -vdm755 /etc/ssl/local &amp;&amp;
wget http://www.cacert.org/certs/root.crt &amp;&amp;
<screen role="nodump"><userinput>wget http://www.cacert.org/certs/root.crt &amp;&amp;
wget http://www.cacert.org/certs/class3.crt &amp;&amp;
openssl x509 -in root.crt -text -fingerprint -setalias "CAcert Class 1 root" \
-addtrust serverAuth -addtrust emailProtection -addtrust codeSigning \
> /etc/ssl/local/CAcert_Class_1_root.pem &amp;&amp;
openssl x509 -in class3.crt -text -fingerprint -setalias "CAcert Class 3 root" \
-addtrust serverAuth -addtrust emailProtection -addtrust codeSigning \
> /etc/ssl/local/CAcert_Class_3_root.pem</userinput></screen>
> /etc/ssl/local/CAcert_Class_3_root.pem &amp;&amp;
/usr/sbin/make-ca -r -f</userinput></screen>
<bridgehead renderas="sect3">Overriding Mozilla Trust</bridgehead>
@ -234,8 +239,7 @@ openssl x509 -in class3.crt -text -fingerprint -setalias "CAcert Class 3 root" \
arguments. For example, if you'd like to distrust the "Makebelieve_CA_Root"
file, run the following commands:</para>
<screen role="nodump"><userinput>install -vdm755 /etc/ssl/local &amp;&amp;
openssl x509 -in /etc/ssl/certs/Makebelieve_CA_Root.pem \
<screen role="nodump"><userinput>openssl x509 -in /etc/ssl/certs/Makebelieve_CA_Root.pem \
-text \
-fingerprint
-setalias "Disabled Makebelieve CA Root" \

7
postlfs/security/p11-kit.xml
View File

@ -228,10 +228,13 @@ ln -s /usr/libexec/p11-kit/trust-extract-compat \
<para>
is a command line tool to both extract local certificates from an
upadated anchor store, and regenerate all anchors and certificate
stores on the system.
stores on the system. This is done unconditionally on BLFS using
the <parameter>--force</parameter> and <parameter>--get</parameter>
flags to <command>make-ca</command> and should likely not be used
for automated updates.
</para>
<indexterm zone="p11-kit update-ca-certificates">
<primary sortas="b-trust">update-ca-certificates</primary>
<primary sortas="b-update-ca-certificates">update-ca-certificates</primary>
</indexterm>
</listitem>
</varlistentry>