System wide setting for OpenSSL CAfile / system certificates?
Peter Wood
peter at alastria.net
Sun Apr 17 08:43:39 PDT 2005
Good Afternoon,
I've spent the past three hours playing with openssl.cnf and surfing
google, and so far I've been unable to find an answer to this question.
So I thought I'd ask here :). The background is that I've finally got
around to getting a wildcard SSL certificate for my personal server, all
daemons are using this, Firefox/IE/Thunderbird are all happy with the
certificate and see it signed by ChainedSSL signed by Equifax and all is
good.
However when I use the FreeBSD server to connect to it's self, in
several programs I get asked to confirm the certificate. So I assumed
this was because there was no central root certificate store.
So I installed security/ca-roots from ports, and that put the certs.pem
file in /usr/local/share/certs and a symlink to it in /etc. However as I
found this simply installs it.
Using openssl s_cleint I was able to run some tests, if I didn't provide
a cafile then I got the following.
[nebula:~]# openssl s_client -connect localhost:imaps
CONNECTED(00000003)
depth=1 /C=US/O=ChainedSSL/CN=ChainedSSL Certificate Authority
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0
s:/C=GB/O=*.alastria.net/OU=https://services.choicepoint.net/get.jsp?GT45161984/OU=See
www.freessl.com/cps (c)04/OU=Domain Control Validated -
ChainedSSL(TM)/CN=*.alastria.net
i:/C=US/O=ChainedSSL/CN=ChainedSSL Certificate Authority
1 s:/C=US/O=ChainedSSL/CN=ChainedSSL Certificate Authority
i:/C=US/O=Equifax Secure Inc./CN=Equifax Secure eBusiness CA-1
---
If I provided a cafile, all was good and got this:
[nebula:~]# openssl s_client -connect localhost:imaps -CAfile
/etc/ssl/cert.pem
CONNECTED(00000003)
depth=2 /C=US/O=Equifax Secure Inc./CN=Equifax Secure eBusiness CA-1
verify return:1
depth=1 /C=US/O=ChainedSSL/CN=ChainedSSL Certificate Authority
verify return:1
depth=0
/C=GB/O=*.alastria.net/OU=https://services.choicepoint.net/get.jsp?GT45161984/OU=See
www.freessl.com/cps (c)04/OU=Domain Control Validated -
ChainedSSL(TM)/CN=*.alastria.net
verify return:1
---
Certificate chain
0
s:/C=GB/O=*.alastria.net/OU=https://services.choicepoint.net/get.jsp?GT45161984/OU=See
www.freessl.com/cps (c)04/OU=Domain Control Validated -
ChainedSSL(TM)/CN=*.alastria.net
i:/C=US/O=ChainedSSL/CN=ChainedSSL Certificate Authority
1 s:/C=US/O=ChainedSSL/CN=ChainedSSL Certificate Authority
i:/C=US/O=Equifax Secure Inc./CN=Equifax Secure eBusiness CA-1
---
I have tried various settings in openssl.cnf, but I can not get CAfile
to be defaulted to anything. My basic question is can I do this, and if
so, how?
I'm expecting once this works (maybe stupidly) for it to propagate down
to applications that use the openssl library. Although for some programs
(like Mutt) I'll be required to set a property to allow mutt to trust
the system certs (ssl_usesystemcerts).
I hope someone out there knows, I've been playing and running truss and
all sorts for the past three hours trying to get this to work.
Any advice would be greatly appreciated.
Cheers,
Pete.
--
Peter Wood BSc (Hons) :: <peter at alastria.net> :: Tel +44 7974 799440
More information about the freebsd-questions
mailing list