I assumed we were good, but TrustCor certs exist.

Reported by Robert Bartel via blfs-dev, and it also happens on my system:

Just recently I noticed that the /etc/pki/tls/certs/ca-bundle.crt generated by
make-ca 1.9 includes two explicitly distrusted certificates as indicated by
their comments:

# Explicitly Distrust DigiNotar Root CA
# Explicitly Distrusted DigiNotar PKIoverheid G2

It seems to me that p11-kit and OpenSSL can explicitly distrust certificates in
their CA stores for various usage purposes while the PEM bundle format
(ca-bundle.crt) used mainly by GnuTLS does not support this. So my
interpretation is that all applications using the bundles will trust these bad
certificates.

As make-ca uses p11-kit's "trust extract" utility to generate the PEM bundles, I
looked in trust/extract-pem.c of p11-kit 0.24. Here it looks like it iterates
over all certificates in the CA store and the trust status is only indicated by
the generated comment line. But I could be wrong.

I'm not wanting to create a GitHub account right now to report the issue to the
p11-kit project, so I first ask here if anyone can confirm or reject this?

For the time being I resorted to remove the bad certificates by using the
following command line:

for file in /etc/pki/tls/certs/*.crt; do
    awk -- '/^# Explicitly Distrust/    { delcert = 1 }
        !delcert                        { print }
        /^-----END/                     { delcert = 0 }' "${file}" >"${file}.tmp"
        mv -vf "${file}.tmp" "${file}"
        chmod -v 444 "${file}"
done

Thank you for reading this and keep up the good work!

Let's try to silence the warning...

This is probably non-standard, but other distros do this, possibly to ensure that Steam can work, which is creating /etc/ssl/certs/ca-certificates.crt which in this case would just be /etc/pki/tls/certs/ca-bundle.crt (${CABUNDLE}).

This could be accomplished by creating a symlink near or at the end as a finishing step to ensure compatibility. Again, probably not standard, most applications like wget and git do not depend on /etc/ssl/certs/ca-certificates.crt, but Steam does, and for those that wanna go for it, would be a hassle to troubleshoot.

What do you think, would this be a good idea to add?

Yeah, we all do that, this is just a request to try to keep it in sync.

Hi'
Previously I have compiled the help2man package and then going for make-ca, but it was given the following error.
ERRORS:
help2man: can't get --help' info from ./make-ca Try --no-discard-stderr' if option outputs to stderr
make: *** [Makefile:13: man] Error 127

Can any one please help?

Thanks and regards!
Rushikesh J.

Hi lucas,

I am raising this issue as i see you are the author of below script:

#!/usr/bin/perl -w

Used to generate PEM encoded files from Mozilla certdata.txt.

Run as ./make-cert.pl > certificate.crt

Parts of this script courtesy of RedHat (mkcabundle.pl)

This script modified for use with single file data (tempfile.cer) extracted

from certdata.txt, taken from the latest version in the Mozilla NSS source.

mozilla/security/nss/lib/ckfw/builtins/certdata.txt

Authors: DJ Lucas

Bruce Dubbs

Version 20120211

When i tried this script for openssl 3.0 alpha 13 (i also notice this issue from alpha 8 onwards):

oot [ /usr/src/photon/BUILD ]# perl bin/make-cert.pl > tempfile.crt
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
LANGUAGE = "en_IN:en",
LC_ALL = (unset),
LANG = "en_IN"
are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").
Could not read certificate from
C021F069927F0000:error:0680008E:asn1 encoding routines:asn1_d2i_read_bio:not enough data:crypto/asn1/a_d2i_fp.c:198:
Unable to load certificate

I see that the input file tempfile.cer has the contents, but somehow the make-cert.pl seems not working with openssl 3.0.0 alpha latest release, it does not generate tempfile.crt.
https://github.com/openssl/openssl/releases/tag/openssl-3.0.0-alpha13

Please note that this script works with 1.1.1 or 1.0.2 openssl without issues.

Any help in this regard is much appreciated.

Hello DJ,

I'd like to request that we put relevant configuration files for make-ca in a separate folder in /etc. When we just had /etc/make-ca.conf.dist, that was OK, but I now see a CS.txt in my /etc folder as well.

Something like /etc/make-ca? We could put /etc/make-ca.conf.dist and /etc/CS.txt over in there.

This isn't urgent and you're free to close it if you would like!

Hi DJ,

I received a couple reports in IRC about systems having systemd units installed for make-ca on SysV systems.

I suspect this is because some other package on their systems is creating /usr/lib/systemd, but not populating it with units. It could be elogind too, not sure on that one...

I was wondering if the following Makefile tweak would work for you:

install_systemd:

if test -e /etc/inittab; then \
    echo "not installing systemd units" \

elif test -d /usr/lib/systemd/system; then \
    install -vdm755 ${DESTDIR}/usr/lib/systemd/system; \
    install -vm644  systemd/* $(DESTDIR)/usr/lib/systemd/system; \
elif test -d /lib/systemd/system; then \
    install -vdm755 ${DESTDIR}/lib/systemd/system; \
    install -vm644  systemd/* ${DESTDIR}/lib/systemd/system; \
fi

If not, that's totally good with me too. Just a suggestion on how to prevent the installation of those units going forward.

• Doug

Following the instructions in the BLFS book for make-ca-1.8.1, I noticed the following output when running 'make-ca -g':

grep: /etc/pki/anchors: No such file or directory
Processing local certificates...
Extracting OpenSSL certificates to:
/etc/ssl/certs...Done!
Extracting GNUTLS server auth certificates to:
/etc/pki/tls/certs/ca-bundle.crt...Done!
Extracting GNUTLS S-Mime certificates to:
/etc/pki/tls/certs/email-ca-bundle.crt...Done!
Extracting GNUTLS code signing certificates to:
/etc/pki/tls/certs/objsign-ca-bundle.crt...Done!
Extracting Java cacerts (JKS) to:
/etc/pki/tls/java/cacerts...Done!

What I'm concerned about is the "grep: /etc/pki/anchors: No such file or directory". When run again, the script executes properly. Could we guard that 'grep' over an if statement to check if /etc/pki/anchors is created already?

Again, not urgent, and you're welcome to close this if you like, just a quick suggestion for improvements (and also to avoid mailing list inquiries)

I installed OpenJDK 12.0.2+10, then I installed make-ca 1.5, then I ran
make-ca -g
as root, and it did a lot of things to my /etc/pki directory, but there are no Java certificates.

keytool -list -cacerts
Enter keystore password:

***************** WARNING WARNING WARNING *****************

• The integrity of the information stored in your keystore *
• has NOT been verified! In order to verify its integrity, *
• you must provide your keystore password. *
  ***************** WARNING WARNING WARNING *****************

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 0 entries

Hi! You just merged #3 and I'm wondering if I can convince you to publish a new release here. I'm packaging this code, and having a release tarball would be extremely helpful so I don't have to patch version 1.4.

in Make file (man: make_ca)

1. man target execute the make_ca and never execute the inside commands and no need to call the make_ca target again its not required. I just removed the make_ca target from man and added the below line
2. chmod 755 make-ca.8
   and executed,
   Plz test and fix it . Thanks :)

PS: I want to run this script with a posix compatible shell

Hi,

I noticed a problem in function get_p11_label() of make-ca (1.7).
This function is (also) used for local x509 certificates.
However, "OpenSSL text values" may have spaces around the '=' in CN, OU, O fields.
This is not properly matched by the regexes in that function, and thus the certificate filename is a generic fallback, rather than based on the label.

Attached please find a patch to correct this problem.

make-ca-1.7.label1.patch.txt