Public Key Infrastructure (PKI) is a method to validate the authenticity of an otherwise unknown entity across untrusted networks. PKI works by establishing a chain of trust, rather than trusting each individual host or entity explicitly. In order for a certificate presented by a remote entity to be trusted, that certificate must present a complete chain of certificates that can be validated using the root certificate of a Certificate Authority (CA) that is trusted by the local machine.
Establishing trust with a CA involves validating things like company address, ownership, contact information, etc., and ensuring that the CA has followed best practices, such as undergoing periodic security audits by independent investigators and maintaining an always available certificate revocation list. This is well outside the scope of BLFS (as it is for most Linux distributions). The certificate store provided here is taken from the Mozilla Foundation, who have established very strict inclusion policies described here.
This package is known to build and work properly using an LFS-10.1 platform.
Download (HTTP): https://github.com/djlucas/make-ca/releases/download/v1.7/make-ca-1.7.tar.xz
Download size: 28.5 KB
Download MD5 Sum: e0356f5ae5623f227a3f69b5e8848ec6
Estimated disk space required: 6.6 MB (with all runtime deps)
Estimated build time: 0.1 SBU (with all runtime deps)
p11-kit-0.23.22 (required at runtime to generate certificate stores from trust anchors)
NSS-3.61 (to generate a shared NSSDB)
User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/make-ca
          The make-ca script will download
          and process the certificates included in the certdata.txt file for use as trust anchors for
          the p11-kit-0.23.22 trust module. Additionally,
          it will generate system certificate stores used by BLFS
          applications (if the recommended and optional applications are
          present on the system). Any local certificates stored in
          /etc/ssl/local will be imported to
          both the trust anchors and the generated certificate stores
          (overriding Mozilla's trust). Additionally, any modified trust
          values will be copied from the trust anchors to /etc/ssl/local prior to any updates, preserving
          custom trust values that differ from Mozilla when using the
          trust utility from
          p11-kit to operate on the trust
          store.
        
          To install the various certificate stores, first install the
          make-ca script into the correct
          location. As the root user:
        
make install && install -vdm755 /etc/ssl/local
          As the root user, after installing
          p11-kit-0.23.22, download the certificate
          source and prepare for system use with the following command:
        
![[Note]](../images/note.png) 
          
            If running the script a second time with the same version of
            certdata.txt, for instance, to add
            additional stores as the requisite software is installed, add the
            -r switch to the command
            line. If packaging, run make-ca
            --help to see all available command line options.
          
/usr/sbin/make-ca -g
          You should periodically update the store with the above command,
          either manually, or via a systemd timer. A
          timer is installed at /usr/lib/systemd/system/update-pki.timer that, if
          enabled, will check for updates weekly. Execute the following commands, as the root user, to enable the
          systemd timer:
        
systemctl enable update-pki.timer
          For most users, no additional configuration is necessary, however,
          the default certdata.txt file
          provided by make-ca is obtained from the mozilla-release branch,
          and is modified to provide a Mercurial revision. This will be the
          correct version for most systems. There are several other variants
          of the file available for use that might be preferred for one
          reason or another, including the files shipped with Mozilla
          products in this book. RedHat and OpenSUSE, for instance, use the
          version included in NSS-3.61. Additional upstream downloads are
          available at the links included in /etc/make-ca.conf.dist. Simply copy the file to
          /etc/make-ca.conf and edit as
          appropriate.
        
          There are three trust types that are recognized by the make-ca script, SSL/TLS, S/Mime, and code
          signing. For OpenSSL, these are
          serverAuth, emailProtection, and codeSigning respectively. If one of
          the three trust arguments is omitted, the certificate is neither
          trusted, nor rejected for that role. Clients that use OpenSSL or NSS encountering this certificate will present
          a warning to the user. Clients using GnuTLS without p11-kit support are not aware of trusted
          certificates. To include this CA into the ca-bundle.crt, email-ca-bundle.crt, or objsign-ca-bundle.crt files (the GnuTLS legacy bundles), it must have the
          appropriate trust arguments.
        
          The /etc/ssl/local directory is
          available to add additional CA certificates to the system. For
          instance, you might need to add an organization or government CA
          certificate. Files in this directory must be in the OpenSSL trusted certificate format. To create
          an OpenSSL trusted certificate
          from a regular PEM encoded file, you need to add trust arguments to
          the openssl command,
          and create a new certificate. For example, using the CAcert roots, if you want
          to trust both for all three roles, the following commands will
          create appropriate OpenSSL trusted certificates (run as the
          root user after Wget-1.21.1 is
          installed):
        
wget http://www.cacert.org/certs/root.crt &&
wget http://www.cacert.org/certs/class3.crt &&
openssl x509 -in root.crt -text -fingerprint -setalias "CAcert Class 1 root" \
        -addtrust serverAuth -addtrust emailProtection -addtrust codeSigning \
        > /etc/ssl/local/CAcert_Class_1_root.pem &&
openssl x509 -in class3.crt -text -fingerprint -setalias "CAcert Class 3 root" \
        -addtrust serverAuth -addtrust emailProtection -addtrust codeSigning \
        > /etc/ssl/local/CAcert_Class_3_root.pem &&
/usr/sbin/make-ca -r -f
        
          Occasionally, there may be instances where you don't agree with
          Mozilla's inclusion of a particular certificate authority. If you'd
          like to override the default trust of a particular CA, simply
          create a copy of the existing certificate in /etc/ssl/local with different trust arguments.
          For example, if you'd like to distrust the "Makebelieve_CA_Root"
          file, run the following commands:
        
openssl x509 -in /etc/ssl/certs/Makebelieve_CA_Root.pem \
             -text \
             -fingerprint \
             -setalias "Disabled Makebelieve CA Root" \
             -addreject serverAuth \
             -addreject emailProtection \
             -addreject codeSigning \
       > /etc/ssl/local/Disabled_Makebelieve_CA_Root.pem &&
/usr/sbin/make-ca -r -f
      Last updated on 2021-02-19 22:13:48 -0800