Skip to content

Commit

Permalink
Added new article on TLS certificate handling
Browse files Browse the repository at this point in the history
  • Loading branch information
@tbazant
tbazant committed Jun 21, 2024
1 parent 9153824 commit 56027b0
Show file tree
Hide file tree
Showing 22 changed files with 2,473 additions and 0 deletions.
18 changes: 18 additions & 0 deletions DC-tls-certificates
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
# This file originates from the project https://github.com/openSUSE/doc-kit
# This file can be edited downstream.

MAIN="tls-certificates.asm.xml"
# Point to the ID of the <structure> of your assembly
#ROOTID="article-example"
SRC_DIR="articles"
IMG_SRC_DIR="images"

PROFOS="sles"
PROFCONDITION="suse-product"
#PROFCONDITION="suse-product;beta"
#PROFCONDITION="community-project"

STYLEASSEMBLY="/usr/share/xml/docbook/stylesheet/nwalsh5/current/assembly/assemble.xsl"

STYLEROOT="/usr/share/xml/docbook/stylesheet/suse2022-ns"
FALLBACK_STYLEROOT="/usr/share/xml/docbook/stylesheet/suse-ns"
261 changes: 261 additions & 0 deletions articles/tls-certificates.asm.xml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,261 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!-- This file originates from the project https://github.com/openSUSE/doc-kit -->
<!-- This file can be edited downstream. -->
<!DOCTYPE assembly
[
<!ENTITY % entities SYSTEM "../common/generic-entities.ent">
%entities;
]>
<assembly version="5.2" xml:lang="en"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:trans="http://docbook.org/ns/transclusion"
xmlns:its="http://www.w3.org/2005/11/its"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns="http://docbook.org/ns/docbook">
<!-- R E S O U R C E S -->
<resources>
<resource href="../concepts/tls-certificates.xml" xml:id="_concept-tls-certificates">
<description>Introduction</description>
</resource>
<resource href="../tasks/tls-sign-csr-private-ca.xml" xml:id="_task-tls-sign-csr-private-ca">
<description>Signing a CSR</description>
</resource>
<resource href="../tasks/tls-certificates-installation-procedure-trusted-ca.xml" xml:id="_task-tls-certificates-installation-procedure-trusted-ca">
<description>Issuing and installing certificates with a trusted CA</description>
</resource>
<resource href="../tasks/tls-certificates-installation-procedure-private-ca.xml" xml:id="_task-tls-certificates-installation-procedure-private-ca">
<description>Issuing and installing certificates with a private CA</description>
</resource>
<resource href="../tasks/tls-csr.xml" xml:id="_task-tls-csr">
<description>Generating CSR</description>
</resource>
<resource href="../tasks/tls-creating-private-key.xml" xml:id="_task-tls-creating-private-key">
<description>Creating a private key</description>
</resource>
<resource href="../concepts/tls-certificate-store.xml" xml:id="_concept-tls-certificate-store">
<description>System-wide CA certificate store</description>
</resource>
<resource href="../tasks/tls-adding-new-certificates.xml" xml:id="_task-tls-adding-new-certificates">
<description></description>
</resource>
<resource href="../tasks/tls-creating-private-ca.xml" xml:id="_task-tls-creating-private-ca">
<description>Creating a private CA</description>
</resource>
<resource href="../tasks/tls-troubleshooting.xml" xml:id="_task-tls-troubleshooting">
<description>Troubleshooting</description>
</resource>
<resource href="../references/tls-certificate-glossary.xml" xml:id="_tls-certificate-glossary">
<description>Glossary</description>
</resource>
<resource href="../common/legal.xml" xml:id="_legal">
<description>Legal Notice</description>
</resource>
<resource href="../common/license_gfdl1.2.xml" xml:id="_gfdl">
<description>GNU Free Documentation License</description>
</resource>
</resources>
<!-- S T R U C T U R E -->
<structure renderas="article" xml:id="tls-certificates" xml:lang="en">
<merge>
<title>Securing Communication with TLS Certificates</title>
<revhistory xml:id="rh-tls-certificates">
<revision><date>2024-03-26</date>
<revdescription>
<para>
Initial release
</para>
</revdescription>
</revision>
</revhistory>
<!-- TODO: provide a listing of possible and validatable meta entry values. Maybe in our geekodoc repo? -->
<!-- add author's e-mail -->
<meta name="maintainer" content="[email protected]" its:translate="no"/>
<!-- ISO date of last update as YYYY-MM-DD -->
<meta name="updated" content="2024-03-26" its:translate="no"/>
<!-- this does not work yet. Use the dm tags listed below for now
<meta name="bugtracker" its:translate="no">
<phrase role="url">https://bugzilla.suse.com/enter_bug.cgi</phrase>
<phrase role="component">Non-product-specific documentation</phrase>
<phrase role="product">Smart Docs</phrase>
<phrase role="assignee">[email protected]</phrase>
</meta>
-->
<!-- not supported, yet. Use dm: tag for now
<meta name="translation" its:translate="no">
<phrase role="trans">yes</phrase>
<phrase role="language">de-de,cs-cz</phrase>
</meta>
-->
<!-- enter the platform identifier or a list of
identifiers, separated by ; -->
<!-- For a full list of meta tags and their values,
see https://confluence.suse.com/x/aQDWNg
-->
<meta name="architecture"><phrase>&x86-64;</phrase><phrase>&power;</phrase>
</meta>
<!-- enter one or more product names and version -->
<meta name="productname" its:translate="no"><productname version="15-SP6">&sles;</productname>
</meta>
<meta name="title" its:translate="yes">Securing communication with TLS certificates</meta>
<meta name="description" its:translate="yes">TLS certificates help
secure network communication between the client and the server</meta>
<meta name="social-descr" its:translate="yes">Securing communication with TLS certificates</meta>
<!-- suitable categories -->
<meta name="category"><phrase>Security</phrase>
</meta>
<!-- Determines "filter by task" filter value -->
<meta name="task"><phrase>Security</phrase>
</meta>
<meta name="series">Products &amp; Solutions</meta>
<dm:docmanager xmlns:dm="urn:x-suse:ns:docmanager">
<dm:bugtracker>
<dm:url>https://bugzilla.suse.com/enter_bug.cgi</dm:url>
<dm:component>Smart Docs</dm:component>
<dm:product>Documentation</dm:product>
<!-- provide your BUGZILLA e-mail address, otherwise this does not work correctly-->
<dm:assignee>[email protected]</dm:assignee>
</dm:bugtracker>
<dm:translation>yes</dm:translation>
</dm:docmanager>
<abstract>
<variablelist>
<varlistentry>
<term>WHAT?</term>
<listitem>
<para>
TLS certificates are key elements when establishing secure
network communication.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>WHY?</term>
<listitem>
<para>
You want to learn how to generate and sign TLS certificates to
establish secured network communication.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>EFFORT</term>
<listitem>
<para>
One hour is enough to learn how to manage TLS certificates and
create a certificate signed by a private CA for a trusted
network environment.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>GOAL</term>
<listitem>
<para>
You can generate, sign and manage TLS certificates, and include
them in the system-wide certificate store.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>REQUIREMENTS</term>
<listitem>
<itemizedlist>
<xi:include href="../snippets/requirement-root-or-sudo-privileges.xml"/>
</itemizedlist>
</listitem>
</varlistentry>
</variablelist>
</abstract>
</merge>
<module resourceref="_concept-tls-certificates" renderas="section">
<merge>
<title>Introduction</title>
</merge>
</module>
<module renderas="section">
<merge>
<title>Issuing and installing TLS certificates</title>
<abstract>
<para>
The following procedures outline the TLS certificate issuance and
installation process using both trusted and private CAs.
</para>
</abstract>
</merge>
<module renderas="section" resourceref="_task-tls-certificates-installation-procedure-trusted-ca">
<merge>
<title>Using a trusted CA</title>
<abstract>
<para></para>
</abstract>
</merge>
</module>
<module renderas="section" resourceref="_task-tls-certificates-installation-procedure-private-ca">
<merge>
<title>Using a private CA</title>
<abstract>
<para></para>
</abstract>
</merge>
</module>
</module>
<module renderas="section" resourceref="_task-tls-creating-private-ca">
<merge>
<title>Creating a private CA</title>
<abstract>
<para></para>
</abstract>
</merge>
</module>
<module renderas="section" resourceref="_task-tls-creating-private-key">
<merge>
<title>Creating a server private key</title>
<abstract>
<para></para>
</abstract>
</merge>
</module>
<module renderas="section" resourceref="_task-tls-csr">
<merge>
<title>Creating a CSR</title>
<abstract>
<para></para>
</abstract>
</merge>
</module>
<module renderas="section" resourceref="_task-tls-sign-csr-private-ca">
<merge>
<title>Signing a CSR</title>
<abstract>
<para></para>
</abstract>
</merge>
</module>
<module renderas="section" resourceref="_concept-tls-certificate-store">
<merge>
<abstract>
<para></para>
</abstract>
</merge>
<module renderas="section" resourceref="_task-tls-adding-new-certificates">
<merge>
<title>Adding new CA certificates</title>
<abstract>
<para></para>
</abstract>
</merge>
</module>
</module>
<module renderas="section" resourceref="_task-tls-troubleshooting">
<merge>
<title>Troubleshooting</title>
<abstract>
<para></para>
</abstract>
</merge>
</module>
<module resourceref="_legal"/>
<module resourceref="_tls-certificate-glossary" renderas="glossary"/>
<module resourceref="_gfdl" renderas="appendix"/>
</structure>
</assembly>
118 changes: 118 additions & 0 deletions concepts/tls-certificate-store.xml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,118 @@
<?xml version="1.0" encoding="UTF-8"?>
<!-- This file originates from the project https://github.com/openSUSE/doc-kit -->
<!-- This file can be edited downstream. -->
<!DOCTYPE topic
[
<!ENTITY % entities SYSTEM "../common/generic-entities.ent">
%entities;
]>
<topic xml:id="tls-certificates-store"
role="concept" xml:lang="en"
xmlns="http://docbook.org/ns/docbook" version="5.2"
xmlns:its="http://www.w3.org/2005/11/its"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:trans="http://docbook.org/ns/transclusion">
<info>
<title>System-wide CA certificate store</title>
<meta name="maintainer" content="[email protected]" its:translate="no"/>
<abstract>
<xi:include href="../snippets/tls-certificates-introduction.xml"/>
</abstract>
</info>
<para>
A shared system-wide CA store is a centralized repository for storing
trusted root certificates and user-specific certificates on a system. This
store is used by software applications and components within the
operating system to establish secure connections, validate the authenticity
of TLS certificates presented by servers, and verify the identity of
individuals or entities. By default, the store contains the Mozilla CA
certificate list included in the <package>ca-certificates-mozilla</package>
package. You can either update this list or select another certificate list.
</para>
<tip>
<title>OpenSSL vs NSS certificate store</title>
<para>
By default, there are two different CA certificate stores in
&productnameshort;: the OpenSSL-based store and the NSS (Network Security
System)-based store. Many GUI-based Web browsers&mdash;such as
Firefox&mdash;use the NSS certificate store. To avoid installing CA
certificates in both certificate stores, install the plug-in package
<package>p11-kit-nss-trust</package> that makes the NSS store look up
certificates in the OpenSSL store automatically.
</para>
</tip>
<section xml:id="tls-certificates-store-file-system">
<title>Where is the CA certificate store on the file system?</title>
<para>
In &productnameshort;, the shared system-wide certificate store is located
in the following directories:
</para>
<variablelist>
<varlistentry>
<term>/usr/share/pki/trust/anchors</term>
<listitem>
<para>
CA certificates trust anchors provided by the system.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>/usr/share/pki/trust/blacklist</term>
<listitem>
<para>
Distrusted CA certificates provided by the system.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>/etc/pki/trust/anchors</term>
<listitem>
<para>
CA certificates trust anchors provided by the system administrators.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>/etc/pki/trust/blacklist</term>
<listitem>
<para>
Distrusted CA certificates provided by the system administrators.
</para>
</listitem>
</varlistentry>
</variablelist>
</section>
<section xml:id="tls-certificates-store-benefits">
<title>Benefits of using a system-wide CA certificate store</title>
<para>
Some of the key benefits of using a shared certificate store are:
</para>
<itemizedlist>
<listitem>
<para>
<emphasis role="bold">Security:</emphasis> Centralizing trusted
certificates helps ensure that all applications and services use a
consistent set of trusted certificates to verify the authenticity
of TLS connections.
</para>
</listitem>
<listitem>
<para>
<emphasis role="bold">Simplified management:</emphasis> Instead of
each application or service maintaining its own list of trusted
certificates, they can rely on the system-wide certificate store.
</para>
</listitem>
<listitem>
<para>
<emphasis role="bold">Ease of update:</emphasis> System administrators
can update the trusted certificates in the system-wide store as
needed, either manually or through automated mechanisms such as
operating system updates. This ensures that systems remain up to date
with the latest trusted certificates and security standards.
</para>
</listitem>
</itemizedlist>
</section>
</topic>
Loading

0 comments on commit 56027b0

Please sign in to comment.