diff --git a/general.ent b/general.ent
index ea0ddd9c8e..6a39472e24 100644
--- a/general.ent
+++ b/general.ent
@@ -1,12 +1,12 @@
-
+
-
+
diff --git a/introduction/welcome/changelog.xml b/introduction/welcome/changelog.xml
index 930ce2c743..f0d395f3ed 100644
--- a/introduction/welcome/changelog.xml
+++ b/introduction/welcome/changelog.xml
@@ -41,6 +41,15 @@
-->
+
+ April 13th, 2019
+
+
+ [dj] - Update to make-ca-1.4.
+
+
+
+
April 11th, 2019
diff --git a/packages.ent b/packages.ent
index 4d25e536f2..e153cf8eb2 100644
--- a/packages.ent
+++ b/packages.ent
@@ -24,7 +24,7 @@
-
+
diff --git a/postlfs/security/make-ca.xml b/postlfs/security/make-ca.xml
index 52dcc77c09..b30f0129c5 100644
--- a/postlfs/security/make-ca.xml
+++ b/postlfs/security/make-ca.xml
@@ -11,7 +11,7 @@
-
+
]>
@@ -103,13 +103,18 @@
on the system). Any local certificates stored in
/etc/ssl/local will be imported to both the trust
anchors and the generated certificate stores (overriding Mozilla's
- trust).
+ trust). Additionally, any modified trust values will be copied from the
+ trust anchors to /etc/ssl/local prior to any updates,
+ preserving custom trust values that differ from Mozilla when using the
+ trust utility from p11-kit
+ to operate on the trust store.
To install the various certificate stores, first install the
make-ca script into the correct location.
As the root user:
-make install
+make install &&
+install -vdm755 /etc/ssl/local
As the root user, after
installing , download the certificate source and
@@ -135,7 +140,7 @@
ln -sfv /etc/pki/tls/certs/ca-bundle.crt \
/etc/ssl/ca-bundle.crt
- You should periodically update the store with the above command
+ You should periodically update the store with the above command,
either manually, or via a cron job.
systemd timer. A timer is installed at
/usr/lib/systemd/system/update-pki.timer that, if
@@ -214,15 +219,15 @@ chmod 754 /etc/cron.weekly/update-pki.sh
root user after
is installed):
-install -vdm755 /etc/ssl/local &&
-wget http://www.cacert.org/certs/root.crt &&
+wget http://www.cacert.org/certs/root.crt &&
wget http://www.cacert.org/certs/class3.crt &&
openssl x509 -in root.crt -text -fingerprint -setalias "CAcert Class 1 root" \
-addtrust serverAuth -addtrust emailProtection -addtrust codeSigning \
> /etc/ssl/local/CAcert_Class_1_root.pem &&
openssl x509 -in class3.crt -text -fingerprint -setalias "CAcert Class 3 root" \
-addtrust serverAuth -addtrust emailProtection -addtrust codeSigning \
- > /etc/ssl/local/CAcert_Class_3_root.pem
+ > /etc/ssl/local/CAcert_Class_3_root.pem &&
+/usr/sbin/make-ca -r -f
Overriding Mozilla Trust
@@ -234,8 +239,7 @@ openssl x509 -in class3.crt -text -fingerprint -setalias "CAcert Class 3 root" \
arguments. For example, if you'd like to distrust the "Makebelieve_CA_Root"
file, run the following commands:
-install -vdm755 /etc/ssl/local &&
-openssl x509 -in /etc/ssl/certs/Makebelieve_CA_Root.pem \
+openssl x509 -in /etc/ssl/certs/Makebelieve_CA_Root.pem \
-text \
-fingerprint
-setalias "Disabled Makebelieve CA Root" \
diff --git a/postlfs/security/p11-kit.xml b/postlfs/security/p11-kit.xml
index 398d2ca0da..51e7873604 100644
--- a/postlfs/security/p11-kit.xml
+++ b/postlfs/security/p11-kit.xml
@@ -228,10 +228,13 @@ ln -s /usr/libexec/p11-kit/trust-extract-compat \
is a command line tool to both extract local certificates from an
upadated anchor store, and regenerate all anchors and certificate
- stores on the system.
+ stores on the system. This is done unconditionally on BLFS using
+ the --force and --get
+ flags to make-ca and should likely not be used
+ for automated updates.
- update-ca-certificates
+ update-ca-certificates