Install Microsoft Root Certificates into FreeBSD

Kevin Kobb kkobb at
Wed Jun 25 17:21:10 UTC 2008

Gerard wrote:
> FreeBSD-6.3
> I wanted to import the root certificates from my WinXP machine into my
> FreeBSD server. I found a site:
> that supplied information on how to accomplish this. This is an
> excerpt from that page.
> <quot>
> In order to avoid errors when visiting SSL-encrypted websites, a file
> named cert.pem containing public certificates of Trusted Root
> Certification Authorities needs to be present in
> the /usr/local/openssl/certs directory. This file can be constructed by
> exporting an existing collection of trusted root certificates from
> another operating system, namely Microsoft Windows XP or Macintosh OS
> X. 12.6.1. Microsoft Windows XP
> To export trusted root certificates from a Windows XP system:
> Click the Start menu and open the Control Panel.
> Double-click the Internet Options icon.
> Click the Content tab then click the Certificates... button.
> Click the Trusted Root Certification Authorities tab.
> Click the first entry in the list and then scroll down to the end of
> the list. While holding the [shift] key, click the last entry in the
> list. This will select all of the listed certificates.
> Click the Export button and then click Next > at the wizard Welcome
> screen.
> Click the Browse... button and save the file as cert.p7b in a location
> of your choice.
> Click Next > when you are returned to the File Name prompt.
> Click Finish to complete the export.
> Copy the file cert.p7b to the /usr/local/openssl/certs directory on
> your FreeBSD system using SFTP or a similar file transfer utility (see
> "OpenSSH Server 4.7p1" for details on SFTP).
> Once the cert.p7b file is in the proper location, run the following
> command to convert it into the required PEM (Privacy Enhanced Mail)
> format: # cd /usr/local/openssl/certs # openssl pkcs7 -inform DER -in
> cert.p7b -print_certs -text -out cert.pem
> You should now be able to securely connect to websites "trusted" by
> Microsoft without Lynx SSL errors.
> </quot>
> The problem is that I do not have a: /usr/local/openssl/certs
> directory. I do have a: /usr/local/share/certs directory though. Could
> I use that directory instead, or do I have to create the specified one?
> I also read about creating an /etc/ssl/certs directory somewhere.
I think you could accomplish what you are after more easily by 
installing the ca_root_nss port.

More information about the freebsd-questions mailing list