Adding a root CA cert on FreeBSD10

Florian Heigl florian.heigl at
Mon Mar 9 16:28:16 UTC 2015


thank you a lot!

I’ll try adding hashed versions, i.e. with ln -s my_ca_cert hash.0 

Do you know / understand the preference between the different directories on FreeBSD?
I very much like using /etc/ssl/certs but since we also have the /usr/local/etc/ssl and /usr/share.. and /usr/local/openssl paths I really wonder what the “right” path would be.



On 09.03.2015, at 15:12, krad <kraduk at> wrote:

> I got mine working fine when i built a transparent ssl proxy. I had to put all the root certs into /etc/ssl/certs
> The filenames had to be a the hash of the cert though. This can be generated via the following command
>  openssl x509 -noout -hash -in <cert>
> eg
> # openssl x509 -noout -hash -in some_cert
> 0810bc98
> # mv some_cert /etc/ssl/certs/0810bc98.o
> On 8 March 2015 at 18:26, Florian Heigl <florian.heigl at> wrote:
> Hi,
> I'm trying to identify how and where to add a trusted root certificate in
> FreeBSD10.
> Doing so used to be dead easy on FreeBSD until now, just drop them in
> /usr/local/etc/ssl/certs or even /etc/ssl/certs and it worked.
> This seems to be no longer true?
> I'm working with CACert or "private" CAs in many cases, so this is a
> standard thing. Right now I'm pulling my hair how to make it work in
> FreeBSD 10.
> What I want:
> - openssl s_client -connect to work
> I'm aware different tools are using different methods, but i.e. curl on
> many OS is tamed to respect the openssl CAs so I figure once openssl is
> happy it should be all good.
> But OpenSSL ain't happy:
>  # openssl s_client -connect demoserver:443 | grep -i -e issuer -e verify
> depth=1 O = Root CA, OU =, CN = CA Cert Signing
> Authority, emailAddress = support at
> verify error:num=19:self signed certificate in certificate chain
> verify return:0
> issuer=/O=Root CA/OU= Cert Signing
> Authority/emailAddress=support at
>     Verify return code: 19 (self signed certificate in certificate chain)
> I've put the CACert certificates in the following places, to no avail:
> /etc/ssl/certs/cacert-class3.crt
> /etc/ssl/certs/cacert-root.crt
> /usr/local/etc/ssl/cacert-root.crt
> /usr/local/etc/ssl/certs/cacert-root.crt
> /usr/local/etc/ssl/certs/cacert-class3.crt
> /usr/local/etc/ssl/cacert-class3.crt
> /usr/local/etc/openssl/cacert-class3.crt
> /usr/local/etc/openssl/cacert-root.crt
> /usr/local/etc/openssl/certs/cacert-class3.crt
> /usr/local/etc/openssl/certs/cacert-root.crt
> I've not tried to patch them into the OS-side CA bundles
> like ca_root_nss-3.17.4_1. That would be utterly stupid since they would be
> lost on update of the package.
> Is there any documentation regarding certs that is _working_ on FreeBSD10?
> I'm so far still inclined the error is on my side, but without current
> documentation it's hard to tell.
> Florian
> (I hope we didn't inherit another shitty linux mechanism like hal,
> update-ca-certs or resolvconf to break proven functionality.
> If so, please let me know what it is and I'll gladly open a PR to name it a
> regression.
> Also, please excuse my lack of enthusiasm, but this has ruined much of my
> day meaning the coming week will also be ruined, trying to catch up)
> --
> the purpose of libvirt is to provide an abstraction layer hiding all xen
> features added since 2006 until they were finally understood and copied by
> the kvm devs.
> _______________________________________________
> freebsd-questions at mailing list
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at"

More information about the freebsd-questions mailing list