mirror of
https://pagure.io/fedora-docs/quick-docs.git
synced 2024-11-28 14:56:35 +00:00
Merge branch 'master' into 'master'
Using Shared System Certificates Review please. See merge request !6
This commit is contained in:
Robert Kratky
commit
2c85978207
5 changed files with 156 additions and 6 deletions
|
|
@ -1000,16 +1000,14 @@ insmod lvm</pre>
|
|||
</div>
|
||||
</li>
|
||||
<li>
|
||||
<p>Study the output for the partition table of the <code>/dev/sda</code> device. It may look similar to the following example on a dos partition table with three partitons.
|
||||
will look something like this:</p>
|
||||
<p>Examine the output to understand the partition table of the <code>/dev/sda</code> device. The following example shows a DOS partition table with three partitions:</p>
|
||||
<div class="listingblock">
|
||||
<div class="content">
|
||||
<pre>(hd0) (hd0,msdos3) (hd0,msdos2) (hd0,msdos1)</pre>
|
||||
</div>
|
||||
</div>
|
||||
<div class="paragraph">
|
||||
<p>or similar to this output on a gpt partition table of the <code>/dev/sda</code> device with four
|
||||
partitions.</p>
|
||||
<p>A GPT partition table of the <code>/dev/sda</code> device with four partitions could look like this:</p>
|
||||
</div>
|
||||
<div class="listingblock">
|
||||
<div class="content">
|
||||
|
|
@ -1025,7 +1023,7 @@ partitions.</p>
|
|||
</div>
|
||||
</div>
|
||||
<div class="paragraph">
|
||||
<p>The outcome of the previous command will list the files on <code>/dev/sda1</code>. If this partition contains the <code>/boot</code> directory, it will show the full name of <code>vmlinuz</code> and <code>initramfs</code>.</p>
|
||||
<p>The outcome of the previous command will list the files on <code>/dev/sda1</code>. The partition that contains the <code>/boot</code> directory is the correct one. There you will search for the full names of the <code>vmlinuz</code> and <code>initramfs</code> files.</p>
|
||||
</div>
|
||||
</li>
|
||||
<li>
|
||||
|
|
@ -1035,6 +1033,9 @@ partitions.</p>
|
|||
<pre>grub> set root=(hd0,3)</pre>
|
||||
</div>
|
||||
</div>
|
||||
<div class="paragraph">
|
||||
<p>This command tells the bootloader, that the root partition is the third partition on the first drive. This would correspond to the <code>/dev/sda3</code> device.</p>
|
||||
</div>
|
||||
</li>
|
||||
<li>
|
||||
<p>Set the desired kernel.</p>
|
||||
|
|
@ -1273,7 +1274,7 @@ improved? Edit this document at <a href="https://pagure.io/fedora-docs/quick-doc
|
|||
</div>
|
||||
<div id="footer">
|
||||
<div id="footer-text">
|
||||
Last updated 2017-12-13 11:39:02 CET
|
||||
Last updated 2017-12-14 09:44:46 CET
|
||||
</div>
|
||||
</div>
|
||||
</body>
|
||||
|
|
|
|||
14
en-US/modules/concept_using-the-system-wide-trust-store.adoc
Normal file
14
en-US/modules/concept_using-the-system-wide-trust-store.adoc
Normal file
|
|
@ -0,0 +1,14 @@
|
|||
[[using-the-system-wide-trust-store]]
|
||||
= Using the System-wide Trust Store
|
||||
|
||||
In Fedora, the consolidated system-wide trust store is located in the `/etc/pki/ca-trust/` and `/usr/share/pki/ca-trust-source/` directories. The trust settings in `/usr/share/pki/ca-trust-source/` are processed with lower priority than settings in `/etc/pki/ca-trust/`.
|
||||
|
||||
Certificate files are treated depending on the subdirectory they are installed to:
|
||||
|
||||
* `/usr/share/pki/ca-trust-source/anchors/` or `/etc/pki/ca-trust/source/anchors/` - for trust anchors.
|
||||
|
||||
* `/usr/share/pki/ca-trust-source/blacklist/` or `/etc/pki/ca-trust/source/blacklist/` - for distrusted certificates.
|
||||
|
||||
* `/usr/share/pki/ca-trust-source/` or `/etc/pki/ca-trust/source/` - for certificates in the extended BEGIN TRUSTED file format.
|
||||
|
||||
NOTE: In a hierarchical cryptographic system, a trust anchor is an authoritative entity which is assumed to be trustworthy. For example, in X.509 architecture, a root certificate is a trust anchor from which a chain of trust is derived. The trust anchor must be put in the possession of the trusting party beforehand to make path validation possible.
|
||||
28
en-US/modules/proc_adding-new-certificates.adoc
Normal file
28
en-US/modules/proc_adding-new-certificates.adoc
Normal file
|
|
@ -0,0 +1,28 @@
|
|||
[[sec-Adding-New-Certificates]]
|
||||
= Adding New Certificates
|
||||
|
||||
.Before you start
|
||||
|
||||
.Procedure
|
||||
|
||||
To add a certificate in the simple PEM or DER file formats to the list of CAs trusted on the system, copy the certificate file to the `/usr/share/pki/ca-trust-source/anchors/` or `/etc/pki/ca-trust/source/anchors/` directory, for example:
|
||||
|
||||
[subs="macros"]
|
||||
----
|
||||
# cp pass:quotes[_~/certificate-trust-examples/Cert-trust-test-ca.pem_] pass:quotes[_/usr/share/pki/ca-trust-source/anchors/_]
|
||||
----
|
||||
|
||||
To update system-wide trust store configuration, use the [command]`update-ca-trust` command:
|
||||
|
||||
----
|
||||
# update-ca-trust
|
||||
----
|
||||
|
||||
[NOTE]
|
||||
====
|
||||
|
||||
While the Firefox browser is able to use an added certificate without executing [command]`update-ca-trust`, it is recommended to run [command]`update-ca-trust` after a CA change. Also note that browsers, such as Firefox, Epiphany, or Chromium, cache files, and you might need to clear browser's cache or restart your browser to load current system certificates configuration.
|
||||
|
||||
====
|
||||
|
||||
.More information
|
||||
86
en-US/modules/proc_managing-trusted-system-certificates.adoc
Normal file
86
en-US/modules/proc_managing-trusted-system-certificates.adoc
Normal file
|
|
@ -0,0 +1,86 @@
|
|||
[[sec-Managing-Trusted-System-Certificates]]
|
||||
= Managing Trusted System Certificates
|
||||
|
||||
.Before you start
|
||||
|
||||
|
||||
|
||||
.Procedure
|
||||
|
||||
To list, extract, add, remove, or change trust anchors, use the [command]`trust` command. To see the built-in help for this command, enter it without any argument or with the [option]`--help` directive:
|
||||
|
||||
[subs="quotes, macros"]
|
||||
----
|
||||
$ [command]`trust`
|
||||
usage: trust command <args>...
|
||||
|
||||
Common trust commands are:
|
||||
list List trust or certificates
|
||||
extract Extract certificates and trust
|
||||
extract-compat Extract trust compatibility bundles
|
||||
anchor Add, remove, change trust anchors
|
||||
dump Dump trust objects in internal format
|
||||
|
||||
See 'trust <command> --help' for more information
|
||||
----
|
||||
|
||||
To list all system trust anchors and certificates, use the [command]`trust list` command:
|
||||
|
||||
[subs="quotes, macros"]
|
||||
----
|
||||
$ [command]`trust list`
|
||||
pkcs11:id=%d2%87%b4%e3%df%37%27%93%55%f6%56%ea%81%e5%36%cc%8c%1e%3f%bd;type=cert
|
||||
type: certificate
|
||||
label: ACCVRAIZ1
|
||||
trust: anchor
|
||||
category: authority
|
||||
|
||||
pkcs11:id=%a6%b3%e1%2b%2b%49%b6%d7%73%a1%aa%94%f5%01%e7%73%65%4c%ac%50;type=cert
|
||||
type: certificate
|
||||
label: ACEDICOM Root
|
||||
trust: anchor
|
||||
category: authority
|
||||
...
|
||||
[output has been truncated]
|
||||
----
|
||||
|
||||
|
||||
|
||||
To store a trust anchor into the system-wide trust store, use the [command]`trust anchor` sub-command and specify a _path.to_ a certificate, for example:
|
||||
|
||||
[subs="macros"]
|
||||
----
|
||||
# trust anchor pass:quotes[_path.to/certificate.crt_]
|
||||
----
|
||||
|
||||
To remove a certificate, use either a _path.to_ a certificate or an ID of a certificate:
|
||||
|
||||
[subs="macros"]
|
||||
----
|
||||
# trust anchor --remove pass:quotes[_path.to/certificate.crt_]
|
||||
# trust anchor --remove pass:quotes[_"pkcs11:id=%AA%BB%CC%DD%EE;type=cert"_]
|
||||
----
|
||||
|
||||
.More information
|
||||
|
||||
All sub-commands of the [command]`trust` commands offer a detailed built-in help, for example:
|
||||
|
||||
----
|
||||
$ trust list --help
|
||||
usage: trust list --filter=<what>
|
||||
|
||||
--filter=<what> filter of what to export
|
||||
ca-anchors certificate anchors
|
||||
blacklist blacklisted certificates
|
||||
trust-policy anchors and blacklist (default)
|
||||
certificates all certificates
|
||||
pkcs11:object=xx a PKCS#11 URI
|
||||
--purpose=<usage> limit to certificates usable for the purpose
|
||||
server-auth for authenticating servers
|
||||
client-auth for authenticating clients
|
||||
email for email protection
|
||||
code-signing for authenticating signed code
|
||||
1.2.3.4.5... an arbitrary object id
|
||||
-v, --verbose show verbose debug output
|
||||
-q, --quiet suppress command output
|
||||
----
|
||||
21
en-US/using-shared-system-certificates.adoc
Normal file
21
en-US/using-shared-system-certificates.adoc
Normal file
|
|
@ -0,0 +1,21 @@
|
|||
:md: ./modules
|
||||
|
||||
[[using-shared-system-certificates]]
|
||||
= Using Shared System Certificates
|
||||
|
||||
The Shared System Certificates storage enables NSS, GnuTLS, OpenSSL, and Java to share a default source for retrieving system certificate anchors and black list information. By default, the trust store contains the Mozilla CA list, including positive and negative trust. The system allows updating of the core Mozilla CA list or choosing another certificate list.
|
||||
|
||||
include::{md}/concept_using-the-system-wide-trust-store.adoc[leveloffset=+1]
|
||||
|
||||
include::{md}/proc_adding-new-certificates.adoc[leveloffset=+1]
|
||||
|
||||
include::{md}/proc_managing-trusted-system-certificates.adoc[leveloffset=+1]
|
||||
|
||||
[[shared-system-certificates-additional-resources]]
|
||||
== Additional Resources
|
||||
|
||||
For more information, see the following man pages:
|
||||
|
||||
* `update-ca-trust(8)`
|
||||
|
||||
* `trust(1)`
|
||||
Loading…
Reference in a new issue