Adding a root CA cert on FreeBSD10
Florian Heigl
florian.heigl at gmail.com
Mon Mar 9 16:28:16 UTC 2015
Hi,
thank you a lot!
I’ll try adding hashed versions, i.e. with ln -s my_ca_cert hash.0
Do you know / understand the preference between the different directories on FreeBSD?
I very much like using /etc/ssl/certs but since we also have the /usr/local/etc/ssl and /usr/share.. and /usr/local/openssl paths I really wonder what the “right” path would be.
Anyone?
Florian
On 09.03.2015, at 15:12, krad <kraduk at gmail.com> wrote:
> I got mine working fine when i built a transparent ssl proxy. I had to put all the root certs into /etc/ssl/certs
>
> The filenames had to be a the hash of the cert though. This can be generated via the following command
>
> openssl x509 -noout -hash -in <cert>
>
> eg
>
> # openssl x509 -noout -hash -in some_cert
> 0810bc98
> # mv some_cert /etc/ssl/certs/0810bc98.o
>
>
> On 8 March 2015 at 18:26, Florian Heigl <florian.heigl at gmail.com> wrote:
> Hi,
>
> I'm trying to identify how and where to add a trusted root certificate in
> FreeBSD10.
>
> Doing so used to be dead easy on FreeBSD until now, just drop them in
> /usr/local/etc/ssl/certs or even /etc/ssl/certs and it worked.
> This seems to be no longer true?
>
> I'm working with CACert or "private" CAs in many cases, so this is a
> standard thing. Right now I'm pulling my hair how to make it work in
> FreeBSD 10.
>
> What I want:
> - openssl s_client -connect to work
>
> I'm aware different tools are using different methods, but i.e. curl on
> many OS is tamed to respect the openssl CAs so I figure once openssl is
> happy it should be all good.
> But OpenSSL ain't happy:
>
>
> # openssl s_client -connect demoserver:443 | grep -i -e issuer -e verify
> depth=1 O = Root CA, OU = http://www.cacert.org, CN = CA Cert Signing
> Authority, emailAddress = support at cacert.org
> verify error:num=19:self signed certificate in certificate chain
> verify return:0
> issuer=/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing
> Authority/emailAddress=support at cacert.org
> Verify return code: 19 (self signed certificate in certificate chain)
>
> I've put the CACert certificates in the following places, to no avail:
>
> /etc/ssl/certs/cacert-class3.crt
> /etc/ssl/certs/cacert-root.crt
> /usr/local/etc/ssl/cacert-root.crt
> /usr/local/etc/ssl/certs/cacert-root.crt
> /usr/local/etc/ssl/certs/cacert-class3.crt
> /usr/local/etc/ssl/cacert-class3.crt
> /usr/local/etc/openssl/cacert-class3.crt
> /usr/local/etc/openssl/cacert-root.crt
> /usr/local/etc/openssl/certs/cacert-class3.crt
> /usr/local/etc/openssl/certs/cacert-root.crt
>
> I've not tried to patch them into the OS-side CA bundles
> like ca_root_nss-3.17.4_1. That would be utterly stupid since they would be
> lost on update of the package.
>
> Is there any documentation regarding certs that is _working_ on FreeBSD10?
> I'm so far still inclined the error is on my side, but without current
> documentation it's hard to tell.
>
>
> Florian
>
>
> (I hope we didn't inherit another shitty linux mechanism like hal,
> update-ca-certs or resolvconf to break proven functionality.
> If so, please let me know what it is and I'll gladly open a PR to name it a
> regression.
> Also, please excuse my lack of enthusiasm, but this has ruined much of my
> day meaning the coming week will also be ruined, trying to catch up)
>
>
>
> --
> the purpose of libvirt is to provide an abstraction layer hiding all xen
> features added since 2006 until they were finally understood and copied by
> the kvm devs.
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
>
More information about the freebsd-questions
mailing list