On 01/27/2013 06:18 AM, Jean-Philippe MENGUAL wrote:
> Hi,
>
> Thanks very much for the information. I probably didn't understand everything
> in the process, anyway. Indeed, in make-ca.sh, I replaced
> BUNDLE="BLFS-ca-bundle-${VERSION}.crt" with AddTrustExternalCARoot.crt.
> Then I ran script. I also updated mozilla's certs, through the proces
> described
> in the book and also with mozilla-root.crtÅ’.
>
> So .pem are all updated and generated. Is it enough? Should the ca-bundle.crt
> be updated itself? Because with such process, fetchmail displays the same
> thing.
>
> Did I misunderstand something in this process of certificates?
>
> Thanks very much and sorry to disturb but I've to say that this security
> concepts
> are not natural for me.
>
> Best regards,
>
The steps should be:
certhost='http://mxr.mozilla.org' &&
certdir='/mozilla/source/security/nss/lib/ckfw/builtins' &&
url="$certhost$certdir/certdata.txt?raw=1" &&
wget --output-document certdata.txt $url &&
unset certhost certdir url &&
make-ca.sh &&
remove-expired-certs.sh
Those update to the latest Mozilla certs, and the following adds your
new CA root to the trusted certs:
keyhash=$(openssl x509 -noout -in AddTrustExternalCARoot.crt -hash) &&
cp AddTrustExternalCARoot.crt \
/etc/ssl/certs/${keyhash}.pem &&
c_rehash &&
unset keyhash
To update the bundle, with what is currnetly in /etc/ssl/certs, run the
following command at any time:
cat /etc/ssl/certs/*.pem > /etc/ssl/ca-bundle.crt
-- DJ
--
http://linuxfromscratch.org/mailman/listinfo/blfs-support
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
