GitHub - djlucas/ca-tools: Distro agnostic tools to manage PKI infrastructure for Linux hosts

djlucas / ca-tools Public

Notifications You must be signed in to change notification settings
Fork 0
Star 3

Distro agnostic tools to manage PKI infrastructure for Linux hosts

Unknown and 2 other licenses found

Licenses found

3 stars 0 forks Branches Tags Activity

Star

Notifications

Branches Tags

Name		Name	Last commit message	Last commit date
Latest commit History 37 Commits
LICENSE		LICENSE
LICENSE.GPLv3		LICENSE.GPLv3
LICENSE.MIT		LICENSE.MIT
Makefile		Makefile
README		README
add-local-trust		add-local-trust
add-local-trust.8		add-local-trust.8
copy-trust-modifications		copy-trust-modifications
mozilla-ca-root.pem		mozilla-ca-root.pem
update-ccadb		update-ccadb
update-ccadb.8		update-ccadb.8
update-certdata		update-certdata
update-certdata.8		update-certdata.8

Repository files navigation

ca-tools provides utilities to deliver and manage a complete PKI configuration
for workstations and servers using only standard Unix utilities, OpenSSL,
p11-kit, and Python-3.

The update-certdata utility will check the existng local version of
certdata.txt against the version in Mozzila's HG instance for NSS, and if
necessary, download and install an updated version. It will then proceed to
populate the P11-kit trust anchors using Mozilla's trust arguments.
Additionally, if any p11-kit format files are in place in the local directory,
they will overwrite those taken from the Mozilla store.

The update-ccadb utility will download the latest version of certificate
bundles from the Common CA Database managed by Mozilla, Microsoft, and Google.
It will then proceed to populate the P11-kit trust anchors using the trust
values for the bundles downloaded. Additionally, if any p11-kit format files
are in place in the local directory, they will overwrite those taken from the
CCADB bundles.

The add-local-trust utility will take a PEM formatted CA Root and convert to
a P11-Kit formatted file and place into the local directory with trust values
selected by the user. These files will later override trust in the above two
certificate sources.

A p11-kit helper, copy-trust-modifications, is included for use in p11-kit's
trust-extract-compat script (which should be symlinked to the user's path as
update-ca-certificates). Manual creation of OpenSSL Trusted certificates is no
longer required for general use. Instead, import the certificate using
p11-kit's 'trust anchor --store /path/to/certificate.crt' functionality.
This will recreate the individual stores assigning approriate permissions to
the newly added anchor(s). Additionally, a copy of any newly added anchors will
be placed into $LOCALDIR for future use.

For the p11-kit distro hook, remove the "not configured" and "exit 1" lines
from trust/trust-extract-compat, and append the following (substitute
update-certdata if you are still using certdata.txt instead of CCADB):
===============================================================================
# Copy existing modifications to local store
/usr/libexec/ca-tools/copy-trust-modifications

# Update trust stores
/usr/sbin/update-ccadb
===============================================================================

If you wish to distribute the results of this script as a standalone package,
unlike in the BLFS distribution for which it was originally written, where the
end user is ultimately responsible for the content, you, as the distributor, are
taking ownership for the results. You are strongly encouraged to define a
written inclusion policy, distribute all blacklisted files as a part of the
local directory, and to provide the written policy in the distributed package.