config/ca-certificates/build.sh

   1 #!/bin/bash
   2
   3 set -e
   4
   5 # Create file layout.
   6 mkdir -pv certs
   7 mkdir -pv /etc/pki/ca-trust/source
   8 cp certdata.txt certs
   9 cd certs
  10
  11 python3 ../certdata2pem.py
  12
  13 cd ..
  14
  15
  16 cat <<EOF > ca-bundle.trust.p11-kit
  17 # This is a bundle of X.509 certificates of public Certificate
  18 # Authorities.  It was generated from the Mozilla root CA list.
  19 # These certificates and trust/distrust attributes use the file format accepted
  20 # by the p11-kit-trust module.
  21 #
  22 # Source: mozilla/security/nss/lib/ckfw/builtins/certdata.txt
  23 #
  24 EOF
  25
  26
  27 P11FILES=`find certs -name \*.tmp-p11-kit | wc -l`
  28 if [ $P11FILES -ne 0 ]; then
  29   for p in certs/*.tmp-p11-kit; do
  30     cat "$p" >> /etc/pki/ca-trust/source/ca-bundle.trust.p11-kit
  31   done
  32 fi
  33
  34 cat <<EOF > ca-bundle.crt
  35 # This is a bundle of X.509 certificates of public Certificate
  36 # Authorities.  It was generated from the Mozilla root CA list.
  37 #
  38 # Source: mozilla/security/nss/lib/ckfw/builtins/certdata.txt
  39 #
  40 EOF
  41
  42 cat <<EOF > ca-bundle.trust.crt
  43 # This is a bundle of X.509 certificates of public Certificate
  44 # Authorities.  It was generated from the Mozilla root CA list.
  45 # These certificates are in the OpenSSL "TRUSTED CERTIFICATE"
  46 # format and have trust bits set accordingly.
  47 #
  48 # Source: mozilla/security/nss/lib/ckfw/builtins/certdata.txt
  49 #
  50 EOF
  51
  52 trust extract --comment --filter=certificates --format=openssl-bundle --overwrite ca-bundle.trust
  53 cat ca-bundle.trust >> ca-bundle.trust.crt
  54
  55 trust extract --comment --filter=ca-anchors --format=pem-bundle --overwrite --purpose server-auth ca-bundle
  56 cat ca-bundle >> ca-bundle.crt
  57
  58
  59 exit 0