123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120 |
- .\" **************************************************************************
- .\" * _ _ ____ _
- .\" * Project ___| | | | _ \| |
- .\" * / __| | | | |_) | |
- .\" * | (__| |_| | _ <| |___
- .\" * \___|\___/|_| \_\_____|
- .\" *
- .\" * Copyright (C) 2008 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al.
- .\" *
- .\" * This software is licensed as described in the file COPYING, which
- .\" * you should have received as part of this distribution. The terms
- .\" * are also available at https://curl.se/docs/copyright.html.
- .\" *
- .\" * You may opt to use, copy, modify, merge, publish, distribute and/or sell
- .\" * copies of the Software, and permit persons to whom the Software is
- .\" * furnished to do so, under the terms of the COPYING file.
- .\" *
- .\" * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
- .\" * KIND, either express or implied.
- .\" *
- .\" * SPDX-License-Identifier: curl
- .\" *
- .\" **************************************************************************
- .\"
- .TH mk-ca-bundle 1 "24 Oct 2016" "version 1.27" "mk-ca-bundle manual"
- .SH NAME
- mk-ca-bundle \- convert Mozilla's certificate bundle to PEM format
- .SH SYNOPSIS
- mk-ca-bundle [options]
- .I [outputfile]
- .SH DESCRIPTION
- The mk-ca-bundle tool downloads the \fIcertdata.txt\fP file from Mozilla's
- source tree over HTTPS, then parses \fIcertdata.txt\fP and extracts
- certificates into PEM format. By default, only CA root certificates trusted to
- issue SSL server authentication certificates are extracted. These are then
- processed with the OpenSSL command line tool to produce the final ca-bundle
- file.
- The default \fIoutputfile\fP name is \fBca-bundle.crt\fP. By setting it to '-'
- (a single dash) you will get the output sent to STDOUT instead of a file.
- The PEM format this scripts uses for output makes the result readily available
- for use by just about all OpenSSL or GnuTLS powered applications, such as curl
- and others.
- .SH OPTIONS
- The following options are supported:
- .IP -b
- backup an existing version of \fIoutputfilename\fP
- .IP "-d [name]"
- specify which Mozilla tree to pull \fIcertdata.txt\fP from (or a custom
- URL). Valid names are: aurora, beta, central, Mozilla, nss, release
- (default). They are shortcuts for which source tree to get the certificates
- data from.
- .IP -f
- force rebuild even if \fIcertdata.txt\fP is current (Added in version 1.17)
- .IP -i
- print version info about used modules
- .IP -k
- Allow insecure data transfer. By default (since 1.27) this command will fail
- if the HTTPS transfer fails. This overrides that decision (and opens for
- man-in-the-middle attacks).
- .IP -l
- print license info about \fIcertdata.txt\fP
- .IP -m
- (Added in 1.26) Include meta data comments in the output. The meta data is
- specific information about each certificate that is stored in the original
- file as comments and using this option will make those comments get passed on
- to the output file. The meta data is not parsed in any way by mk-ca-bundle.
- .IP -n
- no download of \fIcertdata.txt\fP (to use existing)
- .IP "-p [purposes]:[levels]"
- list of Mozilla trust purposes and levels for certificates to include in
- output. Takes the form of a comma separated list of purposes, a colon, and a
- comma separated list of levels. The default is to include all certificates
- trusted to issue SSL Server certificates
- (\fISERVER_AUTH:TRUSTED_DELEGATOR\fP).
- (Added in version 1.21, Perl only)
- Valid purposes are:
- .RS
- \fIALL\fP, \fIDIGITAL_SIGNATURE\fP, \fINON_REPUDIATION\fP,
- \fIKEY_ENCIPHERMENT\fP, \fIDATA_ENCIPHERMENT\fP, \fIKEY_AGREEMENT\fP,
- \fIKEY_CERT_SIGN\fP, \fICRL_SIGN\fP, \fISERVER_AUTH\fP (default),
- \fICLIENT_AUTH\fP, \fICODE_SIGNING\fP, \fIEMAIL_PROTECTION\fP,
- \fIIPSEC_END_SYSTEM\fP, \fIIPSEC_TUNNEL\fP, \fIIPSEC_USER\fP,
- \fITIME_STAMPING\fP, \fISTEP_UP_APPROVED\fP
- .RE
- .IP
- Valid trust levels are:
- .RS
- \fIALL\fP, \fITRUSTED_DELEGATOR\fP (default), \fINOT_TRUSTED\fP, \fIMUST_VERIFY_TRUST\fP, \fITRUSTED\fP
- .RE
- .IP -q
- be really quiet (no progress output at all)
- .IP -t
- include plain text listing of certificates
- .IP "-s [algorithms]"
- comma separated list of signature algorithms with which to hash/fingerprint
- each certificate and output when run in plain text mode.
- (Added in version 1.21, Perl only)
- Valid algorithms are:
- .RS
- ALL, NONE, MD5 (default), SHA1, SHA256, SHA384, SHA512
- .RE
- .IP -u
- unlink (remove) \fIcertdata.txt\fP after processing
- .IP -v
- be verbose and print out processed certificate authorities
- .SH EXIT STATUS
- Returns 0 on success. Returns 1 if it fails to download data.
- .SH FILE FORMAT
- The file format used by Mozilla for this trust information is documented here:
- .nf
- https://p11-glue.freedesktop.org/doc/storing-trust-policy/storing-trust-existing.html
- .fi
- .SH SEE ALSO
- .BR curl (1)
|