Adding a root CA cert on FreeBSD10
Florian Heigl
florian.heigl at gmail.com
Sun Mar 8 18:26:08 UTC 2015
Hi,
I'm trying to identify how and where to add a trusted root certificate in
FreeBSD10.
Doing so used to be dead easy on FreeBSD until now, just drop them in
/usr/local/etc/ssl/certs or even /etc/ssl/certs and it worked.
This seems to be no longer true?
I'm working with CACert or "private" CAs in many cases, so this is a
standard thing. Right now I'm pulling my hair how to make it work in
FreeBSD 10.
What I want:
- openssl s_client -connect to work
I'm aware different tools are using different methods, but i.e. curl on
many OS is tamed to respect the openssl CAs so I figure once openssl is
happy it should be all good.
But OpenSSL ain't happy:
# openssl s_client -connect demoserver:443 | grep -i -e issuer -e verify
depth=1 O = Root CA, OU = http://www.cacert.org, CN = CA Cert Signing
Authority, emailAddress = support at cacert.org
verify error:num=19:self signed certificate in certificate chain
verify return:0
issuer=/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing
Authority/emailAddress=support at cacert.org
Verify return code: 19 (self signed certificate in certificate chain)
I've put the CACert certificates in the following places, to no avail:
/etc/ssl/certs/cacert-class3.crt
/etc/ssl/certs/cacert-root.crt
/usr/local/etc/ssl/cacert-root.crt
/usr/local/etc/ssl/certs/cacert-root.crt
/usr/local/etc/ssl/certs/cacert-class3.crt
/usr/local/etc/ssl/cacert-class3.crt
/usr/local/etc/openssl/cacert-class3.crt
/usr/local/etc/openssl/cacert-root.crt
/usr/local/etc/openssl/certs/cacert-class3.crt
/usr/local/etc/openssl/certs/cacert-root.crt
I've not tried to patch them into the OS-side CA bundles
like ca_root_nss-3.17.4_1. That would be utterly stupid since they would be
lost on update of the package.
Is there any documentation regarding certs that is _working_ on FreeBSD10?
I'm so far still inclined the error is on my side, but without current
documentation it's hard to tell.
Florian
(I hope we didn't inherit another shitty linux mechanism like hal,
update-ca-certs or resolvconf to break proven functionality.
If so, please let me know what it is and I'll gladly open a PR to name it a
regression.
Also, please excuse my lack of enthusiasm, but this has ruined much of my
day meaning the coming week will also be ruined, trying to catch up)
--
the purpose of libvirt is to provide an abstraction layer hiding all xen
features added since 2006 until they were finally understood and copied by
the kvm devs.
More information about the freebsd-questions
mailing list