| lh | 9ed821d | 2023-04-07 01:36:19 -0700 | [diff] [blame] | 1 | .\" ************************************************************************** |
| 2 | .\" * _ _ ____ _ |
| 3 | .\" * Project ___| | | | _ \| | |
| 4 | .\" * / __| | | | |_) | | |
| 5 | .\" * | (__| |_| | _ <| |___ |
| 6 | .\" * \___|\___/|_| \_\_____| |
| 7 | .\" * |
| 8 | .\" * Copyright (C) 2008 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al. |
| 9 | .\" * |
| 10 | .\" * This software is licensed as described in the file COPYING, which |
| 11 | .\" * you should have received as part of this distribution. The terms |
| 12 | .\" * are also available at https://curl.haxx.se/docs/copyright.html. |
| 13 | .\" * |
| 14 | .\" * You may opt to use, copy, modify, merge, publish, distribute and/or sell |
| 15 | .\" * copies of the Software, and permit persons to whom the Software is |
| 16 | .\" * furnished to do so, under the terms of the COPYING file. |
| 17 | .\" * |
| 18 | .\" * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY |
| 19 | .\" * KIND, either express or implied. |
| 20 | .\" * |
| 21 | .\" ************************************************************************** |
| 22 | .\" |
| 23 | .TH mk-ca-bundle 1 "24 Oct 2016" "version 1.27" "mk-ca-bundle manual" |
| 24 | .SH NAME |
| 25 | mk-ca-bundle \- convert mozilla's certdata.txt to PEM format |
| 26 | .SH SYNOPSIS |
| 27 | mk-ca-bundle [options] |
| 28 | .I [outputfile] |
| 29 | .SH DESCRIPTION |
| 30 | The mk-ca-bundle tool downloads the certdata.txt file from Mozilla's source |
| 31 | tree over HTTPS, then parses certdata.txt and extracts certificates into PEM |
| 32 | format. By default, only CA root certificates trusted to issue SSL server |
| 33 | authentication certificates are extracted. These are then processed with the |
| 34 | OpenSSL commandline tool to produce the final ca-bundle file. |
| 35 | |
| 36 | The default \fIoutputfile\fP name is \fBca-bundle.crt\fP. By setting it to '-' |
| 37 | (a single dash) you will get the output sent to STDOUT instead of a file. |
| 38 | |
| 39 | The PEM format this scripts uses for output makes the result readily available |
| 40 | for use by just about all OpenSSL or GnuTLS powered applications, such as |
| 41 | curl, wget and more. |
| 42 | .SH OPTIONS |
| 43 | The following options are supported: |
| 44 | .IP -b |
| 45 | backup an existing version of \fIoutputfilename\fP |
| 46 | .IP "-d [name]" |
| 47 | specify which Mozilla tree to pull certdata.txt from (or a custom URL). Valid |
| 48 | names are: aurora, beta, central, mozilla, nss, release (default). They are |
| 49 | shortcuts for which source tree to get the cert data from. |
| 50 | .IP -f |
| 51 | force rebuild even if certdata.txt is current (Added in version 1.17) |
| 52 | .IP -i |
| 53 | print version info about used modules |
| 54 | .IP -k |
| 55 | Allow insecure data transfer. By default (since 1.27) this command will fail |
| 56 | if the HTTPS transfer fails. This overrides that decision (and opens for |
| 57 | man-in-the-middle attacks). |
| 58 | .IP -l |
| 59 | print license info about certdata.txt |
| 60 | .IP -m |
| 61 | (Added in 1.26) Include meta data comments in the output. The meta data is |
| 62 | specific information about each certificate that is stored in the original |
| 63 | file as comments and using this option will make those comments get passed on |
| 64 | to the output file. The meta data is not parsed in any way by mk-ca-bundle. |
| 65 | .IP -n |
| 66 | no download of certdata.txt (to use existing) |
| 67 | .IP "-p [purposes]:[levels]" |
| 68 | list of Mozilla trust purposes and levels for certificates to include in output. |
| 69 | Takes the form of a comma separated list of purposes, a colon, and a comma |
| 70 | separated list of levels. The default is to include all certificates trusted |
| 71 | to issue SSL Server certificates (SERVER_AUTH:TRUSTED_DELEGATOR). |
| 72 | |
| 73 | (Added in version 1.21, Perl only) |
| 74 | |
| 75 | Valid purposes are: |
| 76 | .RS |
| 77 | ALL, DIGITAL_SIGNATURE, NON_REPUDIATION, KEY_ENCIPHERMENT, |
| 78 | DATA_ENCIPHERMENT, KEY_AGREEMENT, KEY_CERT_SIGN, CRL_SIGN, |
| 79 | SERVER_AUTH (default), CLIENT_AUTH, CODE_SIGNING, EMAIL_PROTECTION, |
| 80 | IPSEC_END_SYSTEM, IPSEC_TUNNEL, IPSEC_USER, TIME_STAMPING, STEP_UP_APPROVED |
| 81 | .RE |
| 82 | .IP |
| 83 | Valid trust levels are: |
| 84 | .RS |
| 85 | ALL, TRUSTED_DELEGATOR (default), NOT_TRUSTED, MUST_VERIFY_TRUST, TRUSTED |
| 86 | .RE |
| 87 | .IP -q |
| 88 | be really quiet (no progress output at all) |
| 89 | .IP -t |
| 90 | include plain text listing of certificates |
| 91 | .IP "-s [algorithms]" |
| 92 | comma separated list of signature algorithms with which to hash/fingerprint |
| 93 | each certificate and output when run in plain text mode. |
| 94 | |
| 95 | (Added in version 1.21, Perl only) |
| 96 | |
| 97 | Valid algorithms are: |
| 98 | .RS |
| 99 | ALL, NONE, MD5 (default), SHA1, SHA256, SHA384, SHA512 |
| 100 | .RE |
| 101 | .IP -u |
| 102 | unlink (remove) certdata.txt after processing |
| 103 | .IP -v |
| 104 | be verbose and print out processed CAs |
| 105 | .SH EXIT STATUS |
| 106 | Returns 0 on success. Returns 1 if it fails to download data. |
| 107 | .SH CERTDATA FORMAT |
| 108 | The file format used by Mozilla for this trust information seems to be documented here: |
| 109 | .nf |
| 110 | http://p11-glue.freedesktop.org/doc/storing-trust-policy/storing-trust-existing.html |
| 111 | .fi |
| 112 | .SH SEE ALSO |
| 113 | .BR curl (1) |
| 114 | .SH HISTORY |
| 115 | \fBmk-ca-bundle\fP is a command line tool that is shipped as part of every |
| 116 | curl and libcurl release (see https://curl.haxx.se/). It was originally based |
| 117 | on the parse-certs script written by Roland Krikava and was later much |
| 118 | improved by Guenter Knauf. This manual page was initially written by Jan |
| 119 | Schaumann \&<jschauma@netmeister.org>. |