| xf.li | 6c8fc1e | 2023-08-12 00:11:09 -0700 | [diff] [blame^] | 1 | .\" ************************************************************************** |
| 2 | .\" * _ _ ____ _ |
| 3 | .\" * Project ___| | | | _ \| | |
| 4 | .\" * / __| | | | |_) | | |
| 5 | .\" * | (__| |_| | _ <| |___ |
| 6 | .\" * \___|\___/|_| \_\_____| |
| 7 | .\" * |
| 8 | .\" * Copyright (C) 2008 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al. |
| 9 | .\" * |
| 10 | .\" * This software is licensed as described in the file COPYING, which |
| 11 | .\" * you should have received as part of this distribution. The terms |
| 12 | .\" * are also available at https://curl.se/docs/copyright.html. |
| 13 | .\" * |
| 14 | .\" * You may opt to use, copy, modify, merge, publish, distribute and/or sell |
| 15 | .\" * copies of the Software, and permit persons to whom the Software is |
| 16 | .\" * furnished to do so, under the terms of the COPYING file. |
| 17 | .\" * |
| 18 | .\" * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY |
| 19 | .\" * KIND, either express or implied. |
| 20 | .\" * |
| 21 | .\" * SPDX-License-Identifier: curl |
| 22 | .\" * |
| 23 | .\" ************************************************************************** |
| 24 | .\" |
| 25 | .TH mk-ca-bundle 1 "24 Oct 2016" "version 1.27" "mk-ca-bundle manual" |
| 26 | .SH NAME |
| 27 | mk-ca-bundle \- convert Mozilla's certificate bundle to PEM format |
| 28 | .SH SYNOPSIS |
| 29 | mk-ca-bundle [options] |
| 30 | .I [outputfile] |
| 31 | .SH DESCRIPTION |
| 32 | The mk-ca-bundle tool downloads the \fIcertdata.txt\fP file from Mozilla's |
| 33 | source tree over HTTPS, then parses \fIcertdata.txt\fP and extracts |
| 34 | certificates into PEM format. By default, only CA root certificates trusted to |
| 35 | issue SSL server authentication certificates are extracted. These are then |
| 36 | processed with the OpenSSL command line tool to produce the final ca-bundle |
| 37 | file. |
| 38 | |
| 39 | The default \fIoutputfile\fP name is \fBca-bundle.crt\fP. By setting it to '-' |
| 40 | (a single dash) you will get the output sent to STDOUT instead of a file. |
| 41 | |
| 42 | The PEM format this scripts uses for output makes the result readily available |
| 43 | for use by just about all OpenSSL or GnuTLS powered applications, such as curl |
| 44 | and others. |
| 45 | .SH OPTIONS |
| 46 | The following options are supported: |
| 47 | .IP -b |
| 48 | backup an existing version of \fIoutputfilename\fP |
| 49 | .IP "-d [name]" |
| 50 | specify which Mozilla tree to pull \fIcertdata.txt\fP from (or a custom |
| 51 | URL). Valid names are: aurora, beta, central, Mozilla, nss, release |
| 52 | (default). They are shortcuts for which source tree to get the certificates |
| 53 | data from. |
| 54 | .IP -f |
| 55 | force rebuild even if \fIcertdata.txt\fP is current (Added in version 1.17) |
| 56 | .IP -i |
| 57 | print version info about used modules |
| 58 | .IP -k |
| 59 | Allow insecure data transfer. By default (since 1.27) this command will fail |
| 60 | if the HTTPS transfer fails. This overrides that decision (and opens for |
| 61 | man-in-the-middle attacks). |
| 62 | .IP -l |
| 63 | print license info about \fIcertdata.txt\fP |
| 64 | .IP -m |
| 65 | (Added in 1.26) Include meta data comments in the output. The meta data is |
| 66 | specific information about each certificate that is stored in the original |
| 67 | file as comments and using this option will make those comments get passed on |
| 68 | to the output file. The meta data is not parsed in any way by mk-ca-bundle. |
| 69 | .IP -n |
| 70 | no download of \fIcertdata.txt\fP (to use existing) |
| 71 | .IP "-p [purposes]:[levels]" |
| 72 | list of Mozilla trust purposes and levels for certificates to include in |
| 73 | output. Takes the form of a comma separated list of purposes, a colon, and a |
| 74 | comma separated list of levels. The default is to include all certificates |
| 75 | trusted to issue SSL Server certificates |
| 76 | (\fISERVER_AUTH:TRUSTED_DELEGATOR\fP). |
| 77 | |
| 78 | (Added in version 1.21, Perl only) |
| 79 | |
| 80 | Valid purposes are: |
| 81 | .RS |
| 82 | \fIALL\fP, \fIDIGITAL_SIGNATURE\fP, \fINON_REPUDIATION\fP, |
| 83 | \fIKEY_ENCIPHERMENT\fP, \fIDATA_ENCIPHERMENT\fP, \fIKEY_AGREEMENT\fP, |
| 84 | \fIKEY_CERT_SIGN\fP, \fICRL_SIGN\fP, \fISERVER_AUTH\fP (default), |
| 85 | \fICLIENT_AUTH\fP, \fICODE_SIGNING\fP, \fIEMAIL_PROTECTION\fP, |
| 86 | \fIIPSEC_END_SYSTEM\fP, \fIIPSEC_TUNNEL\fP, \fIIPSEC_USER\fP, |
| 87 | \fITIME_STAMPING\fP, \fISTEP_UP_APPROVED\fP |
| 88 | .RE |
| 89 | .IP |
| 90 | Valid trust levels are: |
| 91 | .RS |
| 92 | \fIALL\fP, \fITRUSTED_DELEGATOR\fP (default), \fINOT_TRUSTED\fP, \fIMUST_VERIFY_TRUST\fP, \fITRUSTED\fP |
| 93 | .RE |
| 94 | .IP -q |
| 95 | be really quiet (no progress output at all) |
| 96 | .IP -t |
| 97 | include plain text listing of certificates |
| 98 | .IP "-s [algorithms]" |
| 99 | comma separated list of signature algorithms with which to hash/fingerprint |
| 100 | each certificate and output when run in plain text mode. |
| 101 | |
| 102 | (Added in version 1.21, Perl only) |
| 103 | |
| 104 | Valid algorithms are: |
| 105 | .RS |
| 106 | ALL, NONE, MD5 (default), SHA1, SHA256, SHA384, SHA512 |
| 107 | .RE |
| 108 | .IP -u |
| 109 | unlink (remove) \fIcertdata.txt\fP after processing |
| 110 | .IP -v |
| 111 | be verbose and print out processed certificate authorities |
| 112 | .SH EXIT STATUS |
| 113 | Returns 0 on success. Returns 1 if it fails to download data. |
| 114 | .SH FILE FORMAT |
| 115 | The file format used by Mozilla for this trust information is documented here: |
| 116 | .nf |
| 117 | https://p11-glue.freedesktop.org/doc/storing-trust-policy/storing-trust-existing.html |
| 118 | .fi |
| 119 | .SH SEE ALSO |
| 120 | .BR curl (1) |