mirror of
https://codeberg.org/kiss-community/repo
synced 2024-11-19 21:20:07 -07:00
82 lines
3.6 KiB
Groff
82 lines
3.6 KiB
Groff
.\" generated by cd2nroff 0.1 from mk-ca-bundle.md
|
|
.TH mk-ca-bundle 1 mk-ca-bundle
|
|
.SH NAME
|
|
mk\-ca\-bundle \- convert Mozilla\(aqs certificate bundle to PEM format
|
|
.SH SYNOPSIS
|
|
mk\-ca\-bundle [options] [output]
|
|
.SH DESCRIPTION
|
|
This tool downloads the \fIcertdata.txt\fP file from Mozilla\(aqs source tree over
|
|
HTTPS, then parses it and extracts the included certificates into PEM format.
|
|
By default, only CA root certificates trusted to issue SSL server
|
|
authentication certificates are extracted. These are then processed with the
|
|
OpenSSL command line tool to produce the final ca\-bundle output file.
|
|
|
|
The default \fIoutput\fP name is \fBca\-bundle.crt\fP. By setting it to \(aq\-\(aq (a single
|
|
dash) you get the output sent to STDOUT instead of a file.
|
|
|
|
The PEM format this scripts uses for output makes the result readily available
|
|
for use by just about all OpenSSL or GnuTLS powered applications, such as curl
|
|
and others.
|
|
.SH OPTIONS
|
|
The following options are supported:
|
|
.IP -b
|
|
backup an existing version of \fIoutput\fP
|
|
.IP "-d [name]"
|
|
specify which Mozilla tree to pull \fIcertdata.txt\fP from (or a custom URL).
|
|
Valid names are: \fBaurora\fP, \fBbeta\fP, \fBcentral\fP, \fBMozilla\fP, \fBnss\fP,
|
|
\fBrelease\fP (default). They are shortcuts for which source tree to get the
|
|
certificate data from.
|
|
.IP -f
|
|
force rebuild even if \fIcertdata.txt\fP is current (Added in version 1.17)
|
|
.IP -i
|
|
print version info about used modules
|
|
.IP -k
|
|
Allow insecure data transfer. By default (since 1.27) this command fails if
|
|
the HTTPS transfer fails. This overrides that decision (and opens for
|
|
man\-in\-the\-middle attacks).
|
|
.IP -l
|
|
print license info about \fIcertdata.txt\fP
|
|
.IP -m
|
|
(Added in 1.26) Include meta data comments in the output. The meta data is
|
|
specific information about each certificate that is stored in the original
|
|
file as comments and using this option makes those comments get passed on to
|
|
the output file. The meta data is not parsed in any way by mk\-ca\-bundle.
|
|
.IP -n
|
|
Do not download \fIcertdata.txt\fP \- use the existing.
|
|
.IP "-p [purposes]:[levels]"
|
|
list of Mozilla trust purposes and levels for certificates to include in
|
|
output. Takes the form of a comma separated list of purposes, a colon, and a
|
|
comma separated list of levels. The default is to include all certificates
|
|
trusted to issue SSL Server certificates (\fISERVER_AUTH:TRUSTED_DELEGATOR\fP).
|
|
|
|
Valid purposes are: \fBALL\fP, \fBDIGITAL_SIGNATURE\fP, \fBNON_REPUDIATION\fP,
|
|
\fBKEY_ENCIPHERMENT\fP, \fBDATA_ENCIPHERMENT\fP, \fBKEY_AGREEMENT\fP,
|
|
\fBKEY_CERT_SIGN\fP, \fBCRL_SIGN\fP, \fBSERVER_AUTH\fP (default), \fBCLIENT_AUTH\fP,
|
|
\fBCODE_SIGNING\fP, \fBEMAIL_PROTECTION\fP, \fBIPSEC_END_SYSTEM\fP,
|
|
\fBIPSEC_TUNNEL\fP, \fBIPSEC_USER\fP, \fBTIME_STAMPING\fP, \fBSTEP_UP_APPROVED\fP
|
|
|
|
Valid trust levels are: \fBALL\fP, \fBTRUSTED_DELEGATOR\fP (default), \fBNOT_TRUSTED\fP,
|
|
\fBMUST_VERIFY_TRUST\fP, \fBTRUSTED\fP
|
|
.IP -q
|
|
be really quiet (no progress output at all)
|
|
.IP -t
|
|
include plain text listing of certificates
|
|
.IP "-s [algorithms]"
|
|
A comma separated list of signature algorithms with which to hash/fingerprint
|
|
each certificate and output when run in plain text mode.
|
|
|
|
Valid algorithms are:
|
|
ALL, NONE, MD5 (default), SHA1, SHA256, SHA384, SHA512
|
|
.IP -u
|
|
unlink (remove) \fIcertdata.txt\fP after processing
|
|
.IP -v
|
|
be verbose and print out processed certificate authorities
|
|
.SH EXIT STATUS
|
|
Returns 0 on success. Returns 1 if it fails to download data.
|
|
.SH FILE FORMAT
|
|
The file format used by Mozilla for this trust information is documented here:
|
|
|
|
https://p11\-glue.freedesktop.org/doc/storing\-trust\-policy/storing\-trust\-existing.html
|
|
.SH SEE ALSO
|
|
.BR curl (1)
|