lfs-book / make-ca Goto Github PK
View Code? Open in Web Editor NEWPKI setup script for LFS (and others)
Home Page: http://www.linuxfromscratch.org/
License: Other
PKI setup script for LFS (and others)
Home Page: http://www.linuxfromscratch.org/
License: Other
I assumed we were good, but TrustCor certs exist.
Reported by Robert Bartel via blfs-dev, and it also happens on my system:
Just recently I noticed that the /etc/pki/tls/certs/ca-bundle.crt generated by
make-ca 1.9 includes two explicitly distrusted certificates as indicated by
their comments:
# Explicitly Distrust DigiNotar Root CA
# Explicitly Distrusted DigiNotar PKIoverheid G2
It seems to me that p11-kit and OpenSSL can explicitly distrust certificates in
their CA stores for various usage purposes while the PEM bundle format
(ca-bundle.crt) used mainly by GnuTLS does not support this. So my
interpretation is that all applications using the bundles will trust these bad
certificates.
As make-ca uses p11-kit's "trust extract" utility to generate the PEM bundles, I
looked in trust/extract-pem.c of p11-kit 0.24. Here it looks like it iterates
over all certificates in the CA store and the trust status is only indicated by
the generated comment line. But I could be wrong.
I'm not wanting to create a GitHub account right now to report the issue to the
p11-kit project, so I first ask here if anyone can confirm or reject this?
For the time being I resorted to remove the bad certificates by using the
following command line:
for file in /etc/pki/tls/certs/*.crt; do
awk -- '/^# Explicitly Distrust/ { delcert = 1 }
!delcert { print }
/^-----END/ { delcert = 0 }' "${file}" >"${file}.tmp"
mv -vf "${file}.tmp" "${file}"
chmod -v 444 "${file}"
done
Thank you for reading this and keep up the good work!
Let's try to silence the warning...
This is probably non-standard, but other distros do this, possibly to ensure that Steam can work, which is creating /etc/ssl/certs/ca-certificates.crt which in this case would just be /etc/pki/tls/certs/ca-bundle.crt (${CABUNDLE}).
This could be accomplished by creating a symlink near or at the end as a finishing step to ensure compatibility. Again, probably not standard, most applications like wget and git do not depend on /etc/ssl/certs/ca-certificates.crt, but Steam does, and for those that wanna go for it, would be a hassle to troubleshoot.
What do you think, would this be a good idea to add?
Yeah, we all do that, this is just a request to try to keep it in sync.
Hi'
Previously I have compiled the help2man package and then going for make-ca, but it was given the following error.
ERRORS:
help2man: can't get --help' info from ./make-ca Try
--no-discard-stderr' if option outputs to stderr
make: *** [Makefile:13: man] Error 127
Can any one please help?
Thanks and regards!
Rushikesh J.
Hi lucas,
I am raising this issue as i see you are the author of below script:
#!/usr/bin/perl -w
When i tried this script for openssl 3.0 alpha 13 (i also notice this issue from alpha 8 onwards):
oot [ /usr/src/photon/BUILD ]# perl bin/make-cert.pl > tempfile.crt
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
LANGUAGE = "en_IN:en",
LC_ALL = (unset),
LANG = "en_IN"
are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").
Could not read certificate from
C021F069927F0000:error:0680008E:asn1 encoding routines:asn1_d2i_read_bio:not enough data:crypto/asn1/a_d2i_fp.c:198:
Unable to load certificate
I see that the input file tempfile.cer has the contents, but somehow the make-cert.pl seems not working with openssl 3.0.0 alpha latest release, it does not generate tempfile.crt.
https://github.com/openssl/openssl/releases/tag/openssl-3.0.0-alpha13
Please note that this script works with 1.1.1 or 1.0.2 openssl without issues.
Any help in this regard is much appreciated.
Hello DJ,
I'd like to request that we put relevant configuration files for make-ca in a separate folder in /etc. When we just had /etc/make-ca.conf.dist, that was OK, but I now see a CS.txt in my /etc folder as well.
Something like /etc/make-ca? We could put /etc/make-ca.conf.dist and /etc/CS.txt over in there.
This isn't urgent and you're free to close it if you would like!
Hi DJ,
I received a couple reports in IRC about systems having systemd units installed for make-ca on SysV systems.
I suspect this is because some other package on their systems is creating /usr/lib/systemd, but not populating it with units. It could be elogind too, not sure on that one...
I was wondering if the following Makefile tweak would work for you:
install_systemd:
if test -e /etc/inittab; then \
echo "not installing systemd units" \
elif test -d /usr/lib/systemd/system; then \
install -vdm755 ${DESTDIR}/usr/lib/systemd/system; \
install -vm644 systemd/* $(DESTDIR)/usr/lib/systemd/system; \
elif test -d /lib/systemd/system; then \
install -vdm755 ${DESTDIR}/lib/systemd/system; \
install -vm644 systemd/* ${DESTDIR}/lib/systemd/system; \
fi
If not, that's totally good with me too. Just a suggestion on how to prevent the installation of those units going forward.
Following the instructions in the BLFS book for make-ca-1.8.1, I noticed the following output when running 'make-ca -g':
grep: /etc/pki/anchors: No such file or directory
Processing local certificates...
Extracting OpenSSL certificates to:
/etc/ssl/certs...Done!
Extracting GNUTLS server auth certificates to:
/etc/pki/tls/certs/ca-bundle.crt...Done!
Extracting GNUTLS S-Mime certificates to:
/etc/pki/tls/certs/email-ca-bundle.crt...Done!
Extracting GNUTLS code signing certificates to:
/etc/pki/tls/certs/objsign-ca-bundle.crt...Done!
Extracting Java cacerts (JKS) to:
/etc/pki/tls/java/cacerts...Done!
What I'm concerned about is the "grep: /etc/pki/anchors: No such file or directory". When run again, the script executes properly. Could we guard that 'grep' over an if statement to check if /etc/pki/anchors is created already?
Again, not urgent, and you're welcome to close this if you like, just a quick suggestion for improvements (and also to avoid mailing list inquiries)
I installed OpenJDK 12.0.2+10, then I installed make-ca 1.5, then I ran
make-ca -g
as root, and it did a lot of things to my /etc/pki directory, but there are no Java certificates.
keytool -list -cacerts
Enter keystore password:
***************** WARNING WARNING WARNING *****************
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 0 entries
Hi! You just merged #3 and I'm wondering if I can convince you to publish a new release here. I'm packaging this code, and having a release tarball would be extremely helpful so I don't have to patch version 1.4.
in Make file (man: make_ca)
PS: I want to run this script with a posix compatible shell
Hi,
I noticed a problem in function get_p11_label() of make-ca (1.7).
This function is (also) used for local x509 certificates.
However, "OpenSSL text values" may have spaces around the '=' in CN, OU, O fields.
This is not properly matched by the regexes in that function, and thus the certificate filename is a generic fallback, rather than based on the label.
Attached please find a patch to correct this problem.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.