Annotation of embedaddon/curl/docs/mk-ca-bundle.1, revision 1.1
1.1 ! misho 1: .\" **************************************************************************
! 2: .\" * _ _ ____ _
! 3: .\" * Project ___| | | | _ \| |
! 4: .\" * / __| | | | |_) | |
! 5: .\" * | (__| |_| | _ <| |___
! 6: .\" * \___|\___/|_| \_\_____|
! 7: .\" *
! 8: .\" * Copyright (C) 2008 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
! 9: .\" *
! 10: .\" * This software is licensed as described in the file COPYING, which
! 11: .\" * you should have received as part of this distribution. The terms
! 12: .\" * are also available at https://curl.haxx.se/docs/copyright.html.
! 13: .\" *
! 14: .\" * You may opt to use, copy, modify, merge, publish, distribute and/or sell
! 15: .\" * copies of the Software, and permit persons to whom the Software is
! 16: .\" * furnished to do so, under the terms of the COPYING file.
! 17: .\" *
! 18: .\" * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
! 19: .\" * KIND, either express or implied.
! 20: .\" *
! 21: .\" **************************************************************************
! 22: .\"
! 23: .TH mk-ca-bundle 1 "24 Oct 2016" "version 1.27" "mk-ca-bundle manual"
! 24: .SH NAME
! 25: mk-ca-bundle \- convert mozilla's certdata.txt to PEM format
! 26: .SH SYNOPSIS
! 27: mk-ca-bundle [options]
! 28: .I [outputfile]
! 29: .SH DESCRIPTION
! 30: The mk-ca-bundle tool downloads the certdata.txt file from Mozilla's source
! 31: tree over HTTPS, then parses certdata.txt and extracts certificates into PEM
! 32: format. By default, only CA root certificates trusted to issue SSL server
! 33: authentication certificates are extracted. These are then processed with the
! 34: OpenSSL commandline tool to produce the final ca-bundle file.
! 35:
! 36: The default \fIoutputfile\fP name is \fBca-bundle.crt\fP. By setting it to '-'
! 37: (a single dash) you will get the output sent to STDOUT instead of a file.
! 38:
! 39: The PEM format this scripts uses for output makes the result readily available
! 40: for use by just about all OpenSSL or GnuTLS powered applications, such as
! 41: curl, wget and more.
! 42: .SH OPTIONS
! 43: The following options are supported:
! 44: .IP -b
! 45: backup an existing version of \fIoutputfilename\fP
! 46: .IP "-d [name]"
! 47: specify which Mozilla tree to pull certdata.txt from (or a custom URL). Valid
! 48: names are: aurora, beta, central, mozilla, nss, release (default). They are
! 49: shortcuts for which source tree to get the cert data from.
! 50: .IP -f
! 51: force rebuild even if certdata.txt is current (Added in version 1.17)
! 52: .IP -i
! 53: print version info about used modules
! 54: .IP -k
! 55: Allow insecure data transfer. By default (since 1.27) this command will fail
! 56: if the HTTPS transfer fails. This overrides that decision (and opens for
! 57: man-in-the-middle attacks).
! 58: .IP -l
! 59: print license info about certdata.txt
! 60: .IP -m
! 61: (Added in 1.26) Include meta data comments in the output. The meta data is
! 62: specific information about each certificate that is stored in the original
! 63: file as comments and using this option will make those comments get passed on
! 64: to the output file. The meta data is not parsed in any way by mk-ca-bundle.
! 65: .IP -n
! 66: no download of certdata.txt (to use existing)
! 67: .IP "-p [purposes]:[levels]"
! 68: list of Mozilla trust purposes and levels for certificates to include in output.
! 69: Takes the form of a comma separated list of purposes, a colon, and a comma
! 70: separated list of levels. The default is to include all certificates trusted
! 71: to issue SSL Server certificates (SERVER_AUTH:TRUSTED_DELEGATOR).
! 72:
! 73: (Added in version 1.21, Perl only)
! 74:
! 75: Valid purposes are:
! 76: .RS
! 77: ALL, DIGITAL_SIGNATURE, NON_REPUDIATION, KEY_ENCIPHERMENT,
! 78: DATA_ENCIPHERMENT, KEY_AGREEMENT, KEY_CERT_SIGN, CRL_SIGN,
! 79: SERVER_AUTH (default), CLIENT_AUTH, CODE_SIGNING, EMAIL_PROTECTION,
! 80: IPSEC_END_SYSTEM, IPSEC_TUNNEL, IPSEC_USER, TIME_STAMPING, STEP_UP_APPROVED
! 81: .RE
! 82: .IP
! 83: Valid trust levels are:
! 84: .RS
! 85: ALL, TRUSTED_DELEGATOR (default), NOT_TRUSTED, MUST_VERIFY_TRUST, TRUSTED
! 86: .RE
! 87: .IP -q
! 88: be really quiet (no progress output at all)
! 89: .IP -t
! 90: include plain text listing of certificates
! 91: .IP "-s [algorithms]"
! 92: comma separated list of signature algorithms with which to hash/fingerprint
! 93: each certificate and output when run in plain text mode.
! 94:
! 95: (Added in version 1.21, Perl only)
! 96:
! 97: Valid algorithms are:
! 98: .RS
! 99: ALL, NONE, MD5 (default), SHA1, SHA256, SHA384, SHA512
! 100: .RE
! 101: .IP -u
! 102: unlink (remove) certdata.txt after processing
! 103: .IP -v
! 104: be verbose and print out processed CAs
! 105: .SH EXIT STATUS
! 106: Returns 0 on success. Returns 1 if it fails to download data.
! 107: .SH CERTDATA FORMAT
! 108: The file format used by Mozilla for this trust information seems to be documented here:
! 109: .nf
! 110: https://p11-glue.freedesktop.org/doc/storing-trust-policy/storing-trust-existing.html
! 111: .fi
! 112: .SH SEE ALSO
! 113: .BR curl (1)
! 114: .SH HISTORY
! 115: \fBmk-ca-bundle\fP is a command line tool that is shipped as part of every
! 116: curl and libcurl release (see https://curl.haxx.se/). It was originally based
! 117: on the parse-certs script written by Roland Krikava and was later much
! 118: improved by Guenter Knauf. This manual page was initially written by Jan
! 119: Schaumann \&<jschauma@netmeister.org>.
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to mk-ca-bundle.1 CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / curl / docs