%general-entities; ]> $LastChangedBy: bdubbs $ $Date: 2015-02-20 15:02:49 -0500 (Fri, 20 Feb 2015) $ The Public Key Inrastructure is used for many security issues in a Linux system. In order for a certificate to be trusted, it must be signed by a trusted agent called a Certificate Authority (CA). The certificates loaded by this section are from the list on the Mozilla version control system and formats it into a form used by . The certificates can also be used by other applications either directly of indirectly through openssl. &lfs77_checked; Certificate Authority Certificates Package Information CA Certificate Download: CA Bundle size: &ca-bundle-size; Estimated disk space required: &cacerts-buildsize; Estimated build time: &cacerts-time; The certfile.txt file above is actually retrieved from . It is really an HTML file, but the text file can be retrieved indirectly from the HTML file. The Download URL above automates that process and also adds a line where the date can be extracted as a revision number by the scripts below. Certificate Authority Certificates Dependencies Required Recommended User Notes: First create a script to reformat a certificate into a form needed by openssl. As the root user: cat > /usr/bin/make-cert.pl << "EOF" #!/usr/bin/perl -w # Used to generate PEM encoded files from Mozilla certdata.txt. # Run as ./make-cert.pl > certificate.crt # # Parts of this script courtesy of RedHat (mkcabundle.pl) # # This script modified for use with single file data (tempfile.cer) extracted # from certdata.txt, taken from the latest version in the Mozilla NSS source. # mozilla/security/nss/lib/ckfw/builtins/certdata.txt # # Authors: DJ Lucas # Bruce Dubbs # # Version 20120211 my $certdata = './tempfile.cer'; open( IN, "cat $certdata|" ) || die "could not open $certdata"; my $incert = 0; while ( <IN> ) { if ( /^CKA_VALUE MULTILINE_OCTAL/ ) { $incert = 1; open( OUT, "|openssl x509 -text -inform DER -fingerprint" ) || die "could not pipe to openssl x509"; } elsif ( /^END/ && $incert ) { close( OUT ); $incert = 0; print "\n\n"; } elsif ($incert) { my @bs = split( /\\/ ); foreach my $b (@bs) { chomp $b; printf( OUT "%c", oct($b) ) unless $b eq ''; } } } EOF chmod +x /usr/bin/make-cert.pl The following script creates the certificates and a bundle of all the certificates. It creates a ./certs directory and ./BLFS-ca-bundle-${VERSION}.crt. Again create this script as the root user: cat > /usr/bin/make-ca.sh << "EOF" #!/bin/sh # Begin make-ca.sh # Script to populate OpenSSL's CApath from a bundle of PEM formatted CAs # # The file certdata.txt must exist in the local directory # Version number is obtained from the version of the data. # # Authors: DJ Lucas # Bruce Dubbs # # Version 20120211 certdata="certdata.txt" if [ ! -r $certdata ]; then echo "$certdata must be in the local directory" exit 1 fi REVISION=$(grep CVS_ID $certdata | cut -f4 -d'$') if [ -z "${REVISION}" ]; then echo "$certfile has no 'Revision' in CVS_ID" exit 1 fi VERSION=$(echo $REVISION | cut -f2 -d" ") TEMPDIR=$(mktemp -d) TRUSTATTRIBUTES="CKA_TRUST_SERVER_AUTH" BUNDLE="BLFS-ca-bundle-${VERSION}.crt" CONVERTSCRIPT="/usr/bin/make-cert.pl" SSLDIR="/etc/ssl" mkdir "${TEMPDIR}/certs" # Get a list of starting lines for each cert CERTBEGINLIST=$(grep -n "^# Certificate" "${certdata}" | cut -d ":" -f1) # Get a list of ending lines for each cert CERTENDLIST=`grep -n "^CKA_TRUST_STEP_UP_APPROVED" "${certdata}" | cut -d ":" -f 1` # Start a loop for certbegin in ${CERTBEGINLIST}; do for certend in ${CERTENDLIST}; do if test "${certend}" -gt "${certbegin}"; then break fi done # Dump to a temp file with the name of the file as the beginning line number sed -n "${certbegin},${certend}p" "${certdata}" > "${TEMPDIR}/certs/${certbegin}.tmp" done unset CERTBEGINLIST CERTDATA CERTENDLIST certbegin certend mkdir -p certs rm -f certs/* # Make sure the directory is clean for tempfile in ${TEMPDIR}/certs/*.tmp; do # Make sure that the cert is trusted... grep "CKA_TRUST_SERVER_AUTH" "${tempfile}" | \ egrep "TRUST_UNKNOWN|NOT_TRUSTED" > /dev/null if test "${?}" = "0"; then # Throw a meaningful error and remove the file cp "${tempfile}" tempfile.cer perl ${CONVERTSCRIPT} > tempfile.crt keyhash=$(openssl x509 -noout -in tempfile.crt -hash) echo "Certificate ${keyhash} is not trusted! Removing..." rm -f tempfile.cer tempfile.crt "${tempfile}" continue fi # If execution made it to here in the loop, the temp cert is trusted # Find the cert data and generate a cert file for it cp "${tempfile}" tempfile.cer perl ${CONVERTSCRIPT} > tempfile.crt keyhash=$(openssl x509 -noout -in tempfile.crt -hash) mv tempfile.crt "certs/${keyhash}.pem" rm -f tempfile.cer "${tempfile}" echo "Created ${keyhash}.pem" done # Remove blacklisted files # MD5 Collision Proof of Concept CA if test -f certs/8f111d69.pem; then echo "Certificate 8f111d69 is not trusted! Removing..." rm -f certs/8f111d69.pem fi # Finally, generate the bundle and clean up. cat certs/*.pem > ${BUNDLE} rm -r "${TEMPDIR}" EOF chmod +x /usr/bin/make-ca.sh Add a short script to remove expired certificates from a directory. Again create this script as the root user: cat > /usr/bin/remove-expired-certs.sh << "EOF" #!/bin/sh # Begin /usr/bin/remove-expired-certs.sh # # Version 20120211 # Make sure the date is parsed correctly on all systems mydate() { local y=$( echo $1 | cut -d" " -f4 ) local M=$( echo $1 | cut -d" " -f1 ) local d=$( echo $1 | cut -d" " -f2 ) local m if [ ${d} -lt 10 ]; then d="0${d}"; fi case $M in Jan) m="01";; Feb) m="02";; Mar) m="03";; Apr) m="04";; May) m="05";; Jun) m="06";; Jul) m="07";; Aug) m="08";; Sep) m="09";; Oct) m="10";; Nov) m="11";; Dec) m="12";; esac certdate="${y}${m}${d}" } OPENSSL=/usr/bin/openssl DIR=/etc/ssl/certs if [ $# -gt 0 ]; then DIR="$1" fi certs=$( find ${DIR} -type f -name "*.pem" -o -name "*.crt" ) today=$( date +%Y%m%d ) for cert in $certs; do notafter=$( $OPENSSL x509 -enddate -in "${cert}" -noout ) date=$( echo ${notafter} | sed 's/^notAfter=//' ) mydate "$date" if [ ${certdate} -lt ${today} ]; then echo "${cert} expired on ${certdate}! Removing..." rm -f "${cert}" fi done EOF chmod +x /usr/bin/remove-expired-certs.sh The following commands will fetch the certificates and convert them to the correct format. If desired, a web browser may be used instead of wget but the file will need to be saved with the name certdata.txt. These commands can be repeated as necessary to update the CA Certificates. URL=&sources-anduin-other-http;/certdata.txt && rm -f certdata.txt && wget $URL && make-ca.sh && remove-expired-certs.sh certs && unset URL Now, as the root user: SSLDIR=/etc/ssl && install -d ${SSLDIR}/certs && cp -v certs/*.pem ${SSLDIR}/certs && c_rehash && install BLFS-ca-bundle*.crt ${SSLDIR}/ca-bundle.crt && ln -sfv ../ca-bundle.crt ${SSLDIR}/certs/ca-certificates.crt && unset SSLDIR Finally, clean up the current directory: rm -r certs BLFS-ca-bundle* After installing or updating certificates, if OpenJDK is installed, update the certificates for Java using the procedures at . Installed Programs Installed Libraries Installed Directories make-ca.sh, make-cert.pl and remove-expired-certs.sh None /etc/ssl/certs Short Descriptions make-ca.sh is a shell script that reformats the certdata.txt file for use by openssl. make-ca make-cert.pl is a utility perl script that converts a single binary certificate (.der format) into .pem format. make-cert remove-expired-certs.sh is a utility shell script that removes expired certificates from a directory. The default directory is /etc/ssl/certs. remove-expired-certs