updates docu to reflekt actual status

2024-12-29 04:49:44 +01:00 · 2023-03-17 18:05:24 +01:00 · 2023-03-17 18:05:24 +01:00 · 419aae3c98
commit 419aae3c98
parent 2659a13086
1 changed files with 4 additions and 4 deletions
--- a/etc/README.md
+++ b/etc/README.md
@ -5,8 +5,8 @@ The certificate trust stores were retrieved from

 * **Linux:** Copied from an up-to-date Debian Linux machine
 * **Mozilla:** https://curl.haxx.se/docs/caextract.html
-* **Java:** extracted (``keytool -list -rfc -keystore lib/security/cacerts | grep -E -v '^$|^\*\*\*\*\*|^Entry |^Creation |^Alias '``) from a JDK LTS version from https://jdk.java.net/. (use dos2unix).
-* **Microsoft:** Following command pulls all certificates from Windows Update services: ``CertUtil -syncWithWU -f -f . `` (see also http://aka.ms/RootCertDownload, https://technet.microsoft.com/en-us/library/dn265983(v=ws.11).aspx#BKMK_CertUtilOptions). They are in DER format. Convert them like ``for f in *.cer; do echo $f >/dev/stderr; openssl x509 -in $f -inform DER -outform PEM ;done >/tmp/Microsoft.pem``
+* **Java:** extracted (``keytool -list -rfc -keystore lib/security/cacerts | grep -E -v '^$|^\*\*\*\*\*|^Entry |^Creation |^Alias '``) from a JDK LTS version from https://jdk.java.net/. Use dos2unix for the store which you generated.
+* **Microsoft:** Following command pulls all certificates from Windows Update services: ``CertUtil -syncWithWU -f -f . `` (see also http://aka.ms/RootCertDownload, https://technet.microsoft.com/en-us/library/dn265983(v=ws.11).aspx#BKMK_CertUtilOptions). They are in DER format. Convert them like ``for f in *.crt; do echo $f >/dev/stderr; openssl x509 -in $f -inform DER -outform PEM ;done >/tmp/Microsoft.pem``
 * **Apple:**
    1. __System:__ from Apple OS X keychain app.  Open Keychain Access utility, i.e.
  In the Finder window, under Favorites --> "Applications" --> "Utilities"
@ -16,7 +16,7 @@ The certificate trust stores were retrieved from
  Select all CA certificates except for "Developer ID Certification Authority", omit expired ones,  "File" --> "Export Items"
    2. __Internet:__ Pick the latest subdir (=highest number) from https://opensource.apple.com/source/security_certificates/. They are in all DER format despite their file extension. Download them with ``wget --level=1 --cut-dirs=5 --mirror --convert-links --adjust-extension --page-requisites --no-parent https://opensource.apple.com/source/security_certificates/security_certificates-<latest>/certificates/roots/``. Then: ``for f in *.cer *.der *.crt; do echo $f >/dev/stderr; openssl x509 -in $f -inform DER -outform PEM ;done >/tmp/Apple.pem``

-**Attention**: You need to remove the DST Root CA X3 which is for your reference in this directory.
+**ATTENTION**: From each store you need to remove the _DST Root CA X3_ which is for your reference in this directory. See file ``DST Root CA X3.txt`` in this directory. Apple's file name is ``IdenTrust_Root_X3.der``. For the Microsoft store you have to identify the file beforehand like `` for f in *.crt; do echo $f >/dev/stderr; openssl x509 -in $f -inform DER -text -noout | grep DST ;done`` 

 Google Chromium uses basically the trust stores above, see https://www.chromium.org/Home/chromium-security/root-ca-policy.

@ -36,7 +36,7 @@ If you want to check trust against e.g. a company internal CA you need to use ``

 * ``common-primes.txt`` is used for LOGJAM and the PFS section

-* ``client-simulation.txt`` / ``client-simulation.wiresharked.txt`` are as the names indicate data for the client simulation.
+* ``client-simulation.txt`` / ``client-simulation.wiresharked.txt`` are -- as the names indicate -- data for the client simulation.
  The first one is derived from ``~/utils/update_client_sim_data.pl``, and manually edited to sort and label those we don't want.
  The second file provides more client data retrieved from wireshark captures and some instructions how to do that yourself.