.\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.4. .TH MAKE-CA "8" "September 2025" "make-ca 1.16.1" "System Administration Utilities" .SH NAME make-ca \- manual page for make-ca 1.16.1 .SH DESCRIPTION make\-ca is a utility to deliver and manage a complete PKI configuration for workstations and servers using only standard GNU utilities, OpenSSL, and P11\-Kit. It will optionally generate keystores for NSS if already installed, using a Mozilla cacerts.txt or like formatted file. It was originally developed for use with Linux From Scratch to minimize dependencies for early system build, but has been written to be generic enough for any Linux distribution. .TP \fB\-C\fR, \fB\-\-certdata\fR [certdata.txt] The location of the certificates source .TP \fB\-D\fR, \fB\-\-destdir\fR [/] Change the output directory and use relative paths for all other values .TP \fB\-P\fR, \fB\-\-pkidir\fR [/etc/pki] The output PKI root directory \- Cannot be used with the \fB\-a\fR / \fB\-\-anchordir\fR or \fB\-n\fR / \fB\-\-nssdb\fR switches .TP \fB\-S\fR, \fB\-\-ssldir\fR [/etc/ssl] The output SSL root direcotry \- Cannot be used with the \fB\-d\fR / \fB\-\-cadir\fR switch .TP \fB\-a\fR, \fB\-\-anchordir\fR [$PKIDIR/anchors] The output directory for .p11\-kit trust anchors .TP \fB\-b\fR, \fB\-\-bundledir\fR [$PKIDIR/certs] The output direcotry for the PEM formated bundles .TP \fB\-d\fR, \fB\-\-cadir\fR [$SSLDIR/certs] The output directory for the OpenSSL trusted CA certificates .TP \fB\-j\fR, \fB\-\-javacerts\fR [$PKIDIR/java/cacerts] The output directory for the Java cacerts file(s) .TP \fB\-l\fR, \fB\-\-localdir\fR [$SSLDIR/local] The path to a local set of OpenSSL trusted certificates, used to both override trust bits from upstream source and provide system local certifiates .TP \fB\-m\fR, \fB\-\-java\-p12\fR Export Java PKCS#12 store \- this will default to \fI\,$PKIDIR/java/cacerts.p12\/\fP unless modified by the '\-j/\-\-javacerts' switch .TP \fB\-n\fR, \fB\-\-nssdb\fR {$PKIDIR/nssdb} The output path for the shared NSS DB .TP \fB\-p\fR, \fB\-\-proxy\fR [URI:PORT] Use proxy server for download .TP \fB\-k\fR, \fB\-\-keytool\fR [$JAVA_HOME/bin/keytool] The path of the Java keytool utility .TP \fB\-s\fR, \fB\-\-openssl\fR [/usr/bin/openssl] The path of the openssl utility .TP \fB\-t\fR, \fB\-\-certutil\fR [/usr/bin/certutil] The path of the NSS certutil utility .TP \fB\-u\fR, \fB\-\-trust\fR [/usr/bin/trust] The path of the p11\-kit trust utility .TP \fB\-i\fR, \fB\-\-mscodesign\fR Use Microsoft's trust values for code singing You must copy \fI\,/etc/make\-ca/CS.txt\/\fP to $SSLDIR .TP \fB\-f\fR, \fB\-\-force\fR Force run, even if source is not newer .TP \fB\-g\fR, \fB\-\-get\fR Download certdata.txt directly from Mozilla's Mecurial server .TP \fB\-h\fR, \fB\-\-help\fR Show this help message and exit .TP \fB\-r\fR, \fB\-\-rebuild\fR Rebuild the entire PKI tree using the previous certdata.txt file .TP \fB\-v\fR. \fB\-\-version\fR Show version information and exit .PP Example: make\-ca \fB\-f\fR \fB\-C\fR \fI\,~/certdata.txt\/\fP .SH SYNOPSYS make-ca -g .SH EXAMPLES The make-ca script will process the certificates included in the certdata.txt file, and place them in the system trust anchors, for use in multiple certificate stores. Additionally, any local OpenSSL Trusted certificates stored in /etc/ssl/local will also be imported into the system trust anchors and certificate stores making it a full trust management utiltiy. The make-ca script depends on OpenSSL >= 1.1.0, P11-Kit >= 0.23.19, and optionally NSS >= 3.23 and Java >= 1.7. Additionally, Coreutils, gawk, and sed are used. The default locations for output files can be tailored for your environment via the /etc/make-ca.conf configuration file. A p11-kit helper, copy-trust-modifications, is included for use in p11-kit's trust-extract-compat script (which should be symlinked to the user's path as update-ca-certificates). Manual creation of OpenSSL Trusted certificates is no longer required for general use. Instead, import the certificate using p11-kit's 'trust anchor --store /path/to/certificate.crt' functionality. This will recreate the individual stores assigning approriate permissions to the newly added anchor(s). Additionally, a copy of any newly added anchors will be placed into $LOCALDIR for future use. While the p11-kit trust utility can be used in most simple cases, you may require additional trust arguments for certian certificates. In these cases, you will need to manually create an OpenSSL trusted certificate from a regular PEM encoded file (use -inform for der or pkcs7 encoded certs). There are three trust types that are recognized by the make-ca.sh script, SSL/TLS, S/Mime, and code signing. For example, using the CAcert root, if you want it to be trusted for all three roles, the following commands will create an appropriate OpenSSL Trusted certificate: #\ install -vdm755 /etc/ssl/local \ #\ wget http://www.cacert.org/certs/root.crt \ #\ openssl x509 -in root.crt -text -fingerprint \\ \ -setalias "CAcert Class 1 root" \\ \ -addtrust serverAuth \\ \ -addtrust emailProtection \\ \ -addtrust codeSigning \\ \ > /etc/ssl/local/CAcert_Class_1_root.pem If one of the three trust arguments is omitted, the certificate is neither trusted, nor rejected for that role. Clients using GnuTLS without p11-kit support are not aware of trusted certificates. To include this CA into the ca-bundle.crt (used for GnuTLS linked applications not using the p11-module), it must have serverAuth trust. Additionally, to explicitly disallow a certificate for a particular use, replace the -addtrust flag with the -addreject flag. Local trust overrides are handled entirely using the /etc/ssl/local directory. To override Mozilla's trust values, simply make a copy of the certificate in the local directory with alternate trust values.