/usr/share/doc/ca-certificates/examples/ca-certificates-local/README is in ca-certificates 20161130+nmu1+deb9u1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 | The Debian Package ca-certificates-local
----------------------------
This package includes local CA certificates to be installed in
/usr/local/share/ca-certificates. The CA certificates installed by this
package will be implicitly trusted.
This is an example stub source package that includes a dummy CA
certificate in the local/ directory. Remove the dummy certificate, copy
your trusted local root CA (in PEM format with the filename ending in
".crt") to the local/ directory, edit files in the debian/ directory as
desired, and build your custom package.
----------------------------
Steps to build your custom local root CA package from this example:
- Check that your local root CA is in PEM-encoded format, the filename
ends in ".crt", and that it is properly usable by openssl; for example:
$ openssl x509 -text -in Deep_Thought_Dummy_Root_CA.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 66 (0x42)
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=Deep Thought Dummy Root CA
Validity
Not Before: Aug 29 00:00:00 2013 GMT
Not After : Aug 28 23:59:59 2042 GMT
Subject: CN=Deep Thought Dummy Root CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:a2:e3:00:b0:d2:fa:92:57:02:97:5e:80:e0:1a:
<...>
c5:6e:dc:50:7f:3f:34:b8:29
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
C3:FF:DB:49:E2:8A:A4:26:62:19:74:F0:66:41:E1:5F:F7:4B:3F:A7
X509v3 Key Usage:
Certificate Sign, CRL Sign
Netscape Cert Type:
SSL CA, S/MIME CA, Object Signing CA
Signature Algorithm: sha1WithRSAEncryption
1f:32:49:f2:7f:ed:80:62:2e:49:b7:ce:84:b9:c1:c5:1a:f6:
<...>
32:2d
-----BEGIN CERTIFICATE-----
MIICEjCCAXugAwIBAgIBQjANBgkqhkiG9w0BAQUFADAlMSMwIQYDVQQDExpEZWVw
<...>
yTxhjDIt
-----END CERTIFICATE-----
- Copy this example source package somewhere to build as a normal user,
for instance your home directory:
$ cp -a /usr/share/doc/ca-certificates/examples/ca-certificates-local ~/
$ cd ~/ca-certificates-local/
- Remove the dummy CA certificate, copy your local root CA certificate(s)
to the local/ directory, and build the package:
$ rm local/Local_Root_CA.crt
$ cp /path/to/YourOrg_Root_CA.crt local/
$ dpkg-buildpackage
- Install the package (or copy it to your local apt repository for
installation on lots of machines):
$ sudo dpkg -i ../ca-certificates-local_0.1_all.deb
- Feel free to edit the files under the debian/ directory for items like
the maintainer name and email address, version, etc. to better reflect
your own organization. This is just an example to get you started with
a proper local root CA package.
|