diff options
author | Seonah Moon <seonah1.moon@samsung.com> | 2018-04-12 16:25:13 +0900 |
---|---|---|
committer | Seonah Moon <seonah1.moon@samsung.com> | 2018-04-12 16:25:24 +0900 |
commit | cfd75dcdb18d0a4291f48020211c65507a97d9eb (patch) | |
tree | bc0018cefd6662f78ec90af210c19f23ffd3459d /docs/mk-ca-bundle.1 | |
parent | 24b9957402f17c422eeeb3386bf049feeb342e78 (diff) | |
download | curl-cfd75dcdb18d0a4291f48020211c65507a97d9eb.tar.gz curl-cfd75dcdb18d0a4291f48020211c65507a97d9eb.tar.bz2 curl-cfd75dcdb18d0a4291f48020211c65507a97d9eb.zip |
Imported Upstream version 7.59.0upstream/7.59.0
Change-Id: I06221d49da39082f95030ab57617a1e23fbda58b
Diffstat (limited to 'docs/mk-ca-bundle.1')
-rw-r--r-- | docs/mk-ca-bundle.1 | 119 |
1 files changed, 119 insertions, 0 deletions
diff --git a/docs/mk-ca-bundle.1 b/docs/mk-ca-bundle.1 new file mode 100644 index 000000000..f754e74c7 --- /dev/null +++ b/docs/mk-ca-bundle.1 @@ -0,0 +1,119 @@ +.\" ************************************************************************** +.\" * _ _ ____ _ +.\" * Project ___| | | | _ \| | +.\" * / __| | | | |_) | | +.\" * | (__| |_| | _ <| |___ +.\" * \___|\___/|_| \_\_____| +.\" * +.\" * Copyright (C) 2008 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al. +.\" * +.\" * This software is licensed as described in the file COPYING, which +.\" * you should have received as part of this distribution. The terms +.\" * are also available at https://curl.haxx.se/docs/copyright.html. +.\" * +.\" * You may opt to use, copy, modify, merge, publish, distribute and/or sell +.\" * copies of the Software, and permit persons to whom the Software is +.\" * furnished to do so, under the terms of the COPYING file. +.\" * +.\" * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY +.\" * KIND, either express or implied. +.\" * +.\" ************************************************************************** +.\" +.TH mk-ca-bundle 1 "24 Oct 2016" "version 1.27" "mk-ca-bundle manual" +.SH NAME +mk-ca-bundle \- convert mozilla's certdata.txt to PEM format +.SH SYNOPSIS +mk-ca-bundle [options] +.I [outputfile] +.SH DESCRIPTION +The mk-ca-bundle tool downloads the certdata.txt file from Mozilla's source +tree over HTTPS, then parses certdata.txt and extracts certificates into PEM +format. By default, only CA root certificates trusted to issue SSL server +authentication certificates are extracted. These are then processed with the +OpenSSL commandline tool to produce the final ca-bundle file. + +The default \fIoutputfile\fP name is \fBca-bundle.crt\fP. By setting it to '-' +(a single dash) you will get the output sent to STDOUT instead of a file. + +The PEM format this scripts uses for output makes the result readily available +for use by just about all OpenSSL or GnuTLS powered applications, such as +curl, wget and more. +.SH OPTIONS +The following options are supported: +.IP -b +backup an existing version of \fIoutputfilename\fP +.IP "-d [name]" +specify which Mozilla tree to pull certdata.txt from (or a custom URL). Valid +names are: aurora, beta, central, mozilla, nss, release (default). They are +shortcuts for which source tree to get the cert data from. +.IP -f +force rebuild even if certdata.txt is current (Added in version 1.17) +.IP -i +print version info about used modules +.IP -k +Allow insecure data transfer. By default (since 1.27) this command will fail +if the HTTPS transfer fails. This overrides that decision (and opens for +man-in-the-middle attacks). +.IP -l +print license info about certdata.txt +.IP -m +(Added in 1.26) Include meta data comments in the output. The meta data is +specific information about each certificate that is stored in the original +file as comments and using this option will make those comments get passed on +to the output file. The meta data is not parsed in any way by mk-ca-bundle. +.IP -n +no download of certdata.txt (to use existing) +.IP "-p [purposes]:[levels]" +list of Mozilla trust purposes and levels for certificates to include in output. +Takes the form of a comma separated list of purposes, a colon, and a comma +separated list of levels. The default is to include all certificates trusted +to issue SSL Server certificates (SERVER_AUTH:TRUSTED_DELEGATOR). + +(Added in version 1.21, Perl only) + +Valid purposes are: +.RS +ALL, DIGITAL_SIGNATURE, NON_REPUDIATION, KEY_ENCIPHERMENT, +DATA_ENCIPHERMENT, KEY_AGREEMENT, KEY_CERT_SIGN, CRL_SIGN, +SERVER_AUTH (default), CLIENT_AUTH, CODE_SIGNING, EMAIL_PROTECTION, +IPSEC_END_SYSTEM, IPSEC_TUNNEL, IPSEC_USER, TIME_STAMPING, STEP_UP_APPROVED +.RE +.IP +Valid trust levels are: +.RS +ALL, TRUSTED_DELEGATOR (default), NOT_TRUSTED, MUST_VERIFY_TRUST, TRUSTED +.RE +.IP -q +be really quiet (no progress output at all) +.IP -t +include plain text listing of certificates +.IP "-s [algorithms]" +comma separated list of signature algorithms with which to hash/fingerprint +each certificate and output when run in plain text mode. + +(Added in version 1.21, Perl only) + +Valid algorithms are: +.RS +ALL, NONE, MD5 (default), SHA1, SHA256, SHA384, SHA512 +.RE +.IP -u +unlink (remove) certdata.txt after processing +.IP -v +be verbose and print out processed CAs +.SH EXIT STATUS +Returns 0 on success. Returns 1 if it fails to download data. +.SH CERTDATA FORMAT +The file format used by Mozilla for this trust information seems to be documented here: +.nf +https://p11-glue.freedesktop.org/doc/storing-trust-policy/storing-trust-existing.html +.fi +.SH SEE ALSO +.BR curl (1) +.SH HISTORY +\fBmk-ca-bundle\fP is a command line tool that is shipped as part of every +curl and libcurl release (see https://curl.haxx.se/). It was originally based +on the parse-certs script written by Roland Krikava and was later much +improved by Guenter Knauf. This manual page was initially written by Jan +Schaumann \&<jschauma@netmeister.org>. |