| .\" ************************************************************************** |
| .\" * _ _ ____ _ |
| .\" * Project ___| | | | _ \| | |
| .\" * / __| | | | |_) | | |
| .\" * | (__| |_| | _ <| |___ |
| .\" * \___|\___/|_| \_\_____| |
| .\" * |
| .\" * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al. |
| .\" * |
| .\" * This software is licensed as described in the file COPYING, which |
| .\" * you should have received as part of this distribution. The terms |
| .\" * are also available at https://curl.se/docs/copyright.html. |
| .\" * |
| .\" * You may opt to use, copy, modify, merge, publish, distribute and/or sell |
| .\" * copies of the Software, and permit persons to whom the Software is |
| .\" * furnished to do so, under the terms of the COPYING file. |
| .\" * |
| .\" * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY |
| .\" * KIND, either express or implied. |
| .\" * |
| .\" * SPDX-License-Identifier: curl |
| .\" * |
| .\" ************************************************************************** |
| .\" |
| .TH mk-ca-bundle 1 "24 Oct 2016" "version 1.27" "mk-ca-bundle manual" |
| .SH NAME |
| mk-ca-bundle \- convert Mozilla's certificate bundle to PEM format |
| .SH SYNOPSIS |
| mk-ca-bundle [options] |
| .I [outputfile] |
| .SH DESCRIPTION |
| The mk-ca-bundle tool downloads the \fIcertdata.txt\fP file from Mozilla's |
| source tree over HTTPS, then parses \fIcertdata.txt\fP and extracts |
| certificates into PEM format. By default, only CA root certificates trusted to |
| issue SSL server authentication certificates are extracted. These are then |
| processed with the OpenSSL command line tool to produce the final ca-bundle |
| file. |
| |
| The default \fIoutputfile\fP name is \fBca-bundle.crt\fP. By setting it to '-' |
| (a single dash) you will get the output sent to STDOUT instead of a file. |
| |
| The PEM format this scripts uses for output makes the result readily available |
| for use by just about all OpenSSL or GnuTLS powered applications, such as curl |
| and others. |
| .SH OPTIONS |
| The following options are supported: |
| .IP -b |
| backup an existing version of \fIoutputfilename\fP |
| .IP "-d [name]" |
| specify which Mozilla tree to pull \fIcertdata.txt\fP from (or a custom |
| URL). Valid names are: aurora, beta, central, Mozilla, nss, release |
| (default). They are shortcuts for which source tree to get the certificates |
| data from. |
| .IP -f |
| force rebuild even if \fIcertdata.txt\fP is current (Added in version 1.17) |
| .IP -i |
| print version info about used modules |
| .IP -k |
| Allow insecure data transfer. By default (since 1.27) this command will fail |
| if the HTTPS transfer fails. This overrides that decision (and opens for |
| man-in-the-middle attacks). |
| .IP -l |
| print license info about \fIcertdata.txt\fP |
| .IP -m |
| (Added in 1.26) Include meta data comments in the output. The meta data is |
| specific information about each certificate that is stored in the original |
| file as comments and using this option will make those comments get passed on |
| to the output file. The meta data is not parsed in any way by mk-ca-bundle. |
| .IP -n |
| no download of \fIcertdata.txt\fP (to use existing) |
| .IP "-p [purposes]:[levels]" |
| list of Mozilla trust purposes and levels for certificates to include in |
| output. Takes the form of a comma separated list of purposes, a colon, and a |
| comma separated list of levels. The default is to include all certificates |
| trusted to issue SSL Server certificates |
| (\fISERVER_AUTH:TRUSTED_DELEGATOR\fP). |
| |
| (Added in version 1.21, Perl only) |
| |
| Valid purposes are: |
| .RS |
| \fIALL\fP, \fIDIGITAL_SIGNATURE\fP, \fINON_REPUDIATION\fP, |
| \fIKEY_ENCIPHERMENT\fP, \fIDATA_ENCIPHERMENT\fP, \fIKEY_AGREEMENT\fP, |
| \fIKEY_CERT_SIGN\fP, \fICRL_SIGN\fP, \fISERVER_AUTH\fP (default), |
| \fICLIENT_AUTH\fP, \fICODE_SIGNING\fP, \fIEMAIL_PROTECTION\fP, |
| \fIIPSEC_END_SYSTEM\fP, \fIIPSEC_TUNNEL\fP, \fIIPSEC_USER\fP, |
| \fITIME_STAMPING\fP, \fISTEP_UP_APPROVED\fP |
| .RE |
| .IP |
| Valid trust levels are: |
| .RS |
| \fIALL\fP, \fITRUSTED_DELEGATOR\fP (default), \fINOT_TRUSTED\fP, \fIMUST_VERIFY_TRUST\fP, \fITRUSTED\fP |
| .RE |
| .IP -q |
| be really quiet (no progress output at all) |
| .IP -t |
| include plain text listing of certificates |
| .IP "-s [algorithms]" |
| comma separated list of signature algorithms with which to hash/fingerprint |
| each certificate and output when run in plain text mode. |
| |
| (Added in version 1.21, Perl only) |
| |
| Valid algorithms are: |
| .RS |
| ALL, NONE, MD5 (default), SHA1, SHA256, SHA384, SHA512 |
| .RE |
| .IP -u |
| unlink (remove) \fIcertdata.txt\fP after processing |
| .IP -v |
| be verbose and print out processed certificate authorities |
| .SH EXIT STATUS |
| Returns 0 on success. Returns 1 if it fails to download data. |
| .SH FILE FORMAT |
| The file format used by Mozilla for this trust information is documented here: |
| .nf |
| https://p11-glue.freedesktop.org/doc/storing-trust-policy/storing-trust-existing.html |
| .fi |
| .SH SEE ALSO |
| .BR curl (1) |