aboutsummaryrefslogtreecommitdiffstats
path: root/docs/mk-ca-bundle.1
diff options
context:
space:
mode:
Diffstat (limited to 'docs/mk-ca-bundle.1')
-rw-r--r--docs/mk-ca-bundle.1110
1 files changed, 110 insertions, 0 deletions
diff --git a/docs/mk-ca-bundle.1 b/docs/mk-ca-bundle.1
new file mode 100644
index 00000000..164c9c34
--- /dev/null
+++ b/docs/mk-ca-bundle.1
@@ -0,0 +1,110 @@
+.\" **************************************************************************
+.\" * _ _ ____ _
+.\" * Project ___| | | | _ \| |
+.\" * / __| | | | |_) | |
+.\" * | (__| |_| | _ <| |___
+.\" * \___|\___/|_| \_\_____|
+.\" *
+.\" * Copyright (C) 2008 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
+.\" *
+.\" * This software is licensed as described in the file COPYING, which
+.\" * you should have received as part of this distribution. The terms
+.\" * are also available at http://curl.haxx.se/docs/copyright.html.
+.\" *
+.\" * You may opt to use, copy, modify, merge, publish, distribute and/or sell
+.\" * copies of the Software, and permit persons to whom the Software is
+.\" * furnished to do so, under the terms of the COPYING file.
+.\" *
+.\" * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+.\" * KIND, either express or implied.
+.\" *
+.\" **************************************************************************
+.\"
+.TH mk-ca-bundle 1 "5 Jan 2013" "version 1.20" "mk-ca-bundle manual"
+.SH NAME
+mk-ca-bundle \- convert mozilla's certdata.txt to PEM format
+.SH SYNOPSIS
+mk-ca-bundle [bilnpqstuv]
+.I [outputfile]
+.SH DESCRIPTION
+The mk-ca-bundle tool downloads the certdata.txt file from Mozilla's source
+tree over HTTP, then parses certdata.txt and extracts certificates
+into PEM format. By default, only CA root certificates trusted to issue SSL
+server authentication certificates are extracted. These are then processed with
+the OpenSSL commandline tool to produce the final ca-bundle file.
+
+The default \fIoutputfile\fP name is \fBca-bundle.crt\fP. By setting it to '-'
+(a single dash) you will get the output sent to STDOUT instead of a file.
+
+The PEM format this scripts uses for output makes the result readily available
+for use by just about all OpenSSL or GnuTLS powered applications, such as
+curl, wget and more.
+.SH OPTIONS
+The following options are supported:
+.IP -b
+backup an existing version of \fIoutputfilename\fP
+.IP "-d [name]"
+specify which Mozilla tree to pull certdata.txt from (or a custom URL). Valid
+names are: aurora, beta, central, mozilla, nss, release (default). They are
+shortcuts for which source tree to get the cert data from.
+.IP -f
+force rebuild even if certdata.txt is current (Added in version 1.17)
+.IP -i
+print version info about used modules
+.IP -l
+print license info about certdata.txt
+.IP -n
+no download of certdata.txt (to use existing)
+.IP "-p [purposes]:[levels]"
+list of Mozilla trust purposes and levels for certificates to include in output.
+Takes the form of a comma separated list of purposes, a colon, and a comma
+separated list of levels. The default is to include all certificates trusted
+to issue SSL Server certificates (SERVER_AUTH:TRUSTED_DELEGATOR).
+
+(Added in version 1.21, Perl only)
+
+Valid purposes are:
+.RS
+ALL, DIGITAL_SIGNATURE, NON_REPUDIATION, KEY_ENCIPHERMENT,
+DATA_ENCIPHERMENT, KEY_AGREEMENT, KEY_CERT_SIGN, CRL_SIGN,
+SERVER_AUTH (default), CLIENT_AUTH, CODE_SIGNING, EMAIL_PROTECTION,
+IPSEC_END_SYSTEM, IPSEC_TUNNEL, IPSEC_USER, TIME_STAMPING, STEP_UP_APPROVED
+.RE
+.IP
+Valid trust levels are:
+.RS
+ALL, TRUSTED_DELEGATOR (default), NOT_TRUSTED, MUST_VERIFY_TRUST, TRUSTED
+.RE
+.IP -q
+be really quiet (no progress output at all)
+.IP -t
+include plain text listing of certificates
+.IP "-s [algorithms]"
+comma separated list of signature algorithms with which to hash/fingerprint
+each certificate and output when run in plain text mode.
+
+(Added in version 1.21, Perl only)
+
+Valid algorithms are:
+.RS
+ALL, NONE, MD5 (default), SHA1, SHA256, SHA384, SHA512
+.RE
+.IP -u
+unlink (remove) certdata.txt after processing
+.IP -v
+be verbose and print out processed CAs
+.SH EXIT STATUS
+Returns 0 on success. Returns 1 if it fails to download data.
+.SH CERTDATA FORMAT
+The file format used by Mozilla for this trust information seems to be documented here:
+.nf
+http://p11-glue.freedesktop.org/doc/storing-trust-policy/storing-trust-existing.html
+.fi
+.SH SEE ALSO
+.BR curl (1)
+.SH HISTORY
+\fBmk-ca-bundle\fP is a command line tool that is shipped as part of every
+curl and libcurl release (see http://curl.haxx.se/). It was originally based
+on the parse-certs script written by Roland Krikava and was later much
+improved by Guenter Knauf. This manual page was initially written by Jan
+Schaumann \&<jschauma@netmeister.org>.