121 lines
4.7 KiB
Groff
121 lines
4.7 KiB
Groff
.\" **************************************************************************
|
|
.\" * _ _ ____ _
|
|
.\" * Project ___| | | | _ \| |
|
|
.\" * / __| | | | |_) | |
|
|
.\" * | (__| |_| | _ <| |___
|
|
.\" * \___|\___/|_| \_\_____|
|
|
.\" *
|
|
.\" * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
|
|
.\" *
|
|
.\" * This software is licensed as described in the file COPYING, which
|
|
.\" * you should have received as part of this distribution. The terms
|
|
.\" * are also available at https://curl.se/docs/copyright.html.
|
|
.\" *
|
|
.\" * You may opt to use, copy, modify, merge, publish, distribute and/or sell
|
|
.\" * copies of the Software, and permit persons to whom the Software is
|
|
.\" * furnished to do so, under the terms of the COPYING file.
|
|
.\" *
|
|
.\" * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
|
|
.\" * KIND, either express or implied.
|
|
.\" *
|
|
.\" * SPDX-License-Identifier: curl
|
|
.\" *
|
|
.\" **************************************************************************
|
|
.\"
|
|
.TH mk-ca-bundle 1 "24 Oct 2016" mk-ca-bundle mk-ca-bundle
|
|
.SH NAME
|
|
mk-ca-bundle \- convert Mozilla's certificate bundle to PEM format
|
|
.SH SYNOPSIS
|
|
mk-ca-bundle [options]
|
|
.I [outputfile]
|
|
.SH DESCRIPTION
|
|
The mk-ca-bundle tool downloads the \fIcertdata.txt\fP file from Mozilla's
|
|
source tree over HTTPS, then parses \fIcertdata.txt\fP and extracts
|
|
certificates into PEM format. By default, only CA root certificates trusted to
|
|
issue SSL server authentication certificates are extracted. These are then
|
|
processed with the OpenSSL command line tool to produce the final ca-bundle
|
|
file.
|
|
|
|
The default \fIoutputfile\fP name is \fBca-bundle.crt\fP. By setting it to '-'
|
|
(a single dash) you will get the output sent to STDOUT instead of a file.
|
|
|
|
The PEM format this scripts uses for output makes the result readily available
|
|
for use by just about all OpenSSL or GnuTLS powered applications, such as curl
|
|
and others.
|
|
.SH OPTIONS
|
|
The following options are supported:
|
|
.IP -b
|
|
backup an existing version of \fIoutputfilename\fP
|
|
.IP "-d [name]"
|
|
specify which Mozilla tree to pull \fIcertdata.txt\fP from (or a custom
|
|
URL). Valid names are: aurora, beta, central, Mozilla, nss, release
|
|
(default). They are shortcuts for which source tree to get the certificates
|
|
data from.
|
|
.IP -f
|
|
force rebuild even if \fIcertdata.txt\fP is current (Added in version 1.17)
|
|
.IP -i
|
|
print version info about used modules
|
|
.IP -k
|
|
Allow insecure data transfer. By default (since 1.27) this command will fail
|
|
if the HTTPS transfer fails. This overrides that decision (and opens for
|
|
man-in-the-middle attacks).
|
|
.IP -l
|
|
print license info about \fIcertdata.txt\fP
|
|
.IP -m
|
|
(Added in 1.26) Include meta data comments in the output. The meta data is
|
|
specific information about each certificate that is stored in the original
|
|
file as comments and using this option will make those comments get passed on
|
|
to the output file. The meta data is not parsed in any way by mk-ca-bundle.
|
|
.IP -n
|
|
no download of \fIcertdata.txt\fP (to use existing)
|
|
.IP "-p [purposes]:[levels]"
|
|
list of Mozilla trust purposes and levels for certificates to include in
|
|
output. Takes the form of a comma separated list of purposes, a colon, and a
|
|
comma separated list of levels. The default is to include all certificates
|
|
trusted to issue SSL Server certificates
|
|
(\fISERVER_AUTH:TRUSTED_DELEGATOR\fP).
|
|
|
|
(Added in version 1.21, Perl only)
|
|
|
|
Valid purposes are:
|
|
.RS
|
|
\fIALL\fP, \fIDIGITAL_SIGNATURE\fP, \fINON_REPUDIATION\fP,
|
|
\fIKEY_ENCIPHERMENT\fP, \fIDATA_ENCIPHERMENT\fP, \fIKEY_AGREEMENT\fP,
|
|
\fIKEY_CERT_SIGN\fP, \fICRL_SIGN\fP, \fISERVER_AUTH\fP (default),
|
|
\fICLIENT_AUTH\fP, \fICODE_SIGNING\fP, \fIEMAIL_PROTECTION\fP,
|
|
\fIIPSEC_END_SYSTEM\fP, \fIIPSEC_TUNNEL\fP, \fIIPSEC_USER\fP,
|
|
\fITIME_STAMPING\fP, \fISTEP_UP_APPROVED\fP
|
|
.RE
|
|
.IP
|
|
Valid trust levels are:
|
|
.RS
|
|
\fIALL\fP, \fITRUSTED_DELEGATOR\fP (default), \fINOT_TRUSTED\fP, \fIMUST_VERIFY_TRUST\fP, \fITRUSTED\fP
|
|
.RE
|
|
.IP -q
|
|
be really quiet (no progress output at all)
|
|
.IP -t
|
|
include plain text listing of certificates
|
|
.IP "-s [algorithms]"
|
|
comma separated list of signature algorithms with which to hash/fingerprint
|
|
each certificate and output when run in plain text mode.
|
|
|
|
(Added in version 1.21, Perl only)
|
|
|
|
Valid algorithms are:
|
|
.RS
|
|
ALL, NONE, MD5 (default), SHA1, SHA256, SHA384, SHA512
|
|
.RE
|
|
.IP -u
|
|
unlink (remove) \fIcertdata.txt\fP after processing
|
|
.IP -v
|
|
be verbose and print out processed certificate authorities
|
|
.SH EXIT STATUS
|
|
Returns 0 on success. Returns 1 if it fails to download data.
|
|
.SH FILE FORMAT
|
|
The file format used by Mozilla for this trust information is documented here:
|
|
.nf
|
|
https://p11-glue.freedesktop.org/doc/storing-trust-policy/storing-trust-existing.html
|
|
.fi
|
|
.SH SEE ALSO
|
|
.BR curl (1)
|