FreeBSD-11 Jails and PKI

Ernie Luzar luzar722 at
Sat Jan 7 00:32:12 UTC 2017

James B. Byrne via freebsd-questions wrote:
> If I want to make a binary application available to all jails do I put
> it in /usr/jails/basejail/bin or somewhere else?  Or is this
> impossible?
> If possible then do such applications need to be statically linked?
> Similarly, given that I wish to maintain a common repository of pki
> keys and certificates that are shared between jails, do I place these
> in or under /usr/jails/basejail/usr/share/openssl/? or somewhere else?
> Or not at all and place them separately in each and every jail that
> requires TLS?
> The main issue I am dealing with is that we run a private PKI CA and
> need to add our root certificates to the ca-bundle after each update
> to  /usr/local/share/certs/ca-root-nss.crt.

Based on the keyword "basejail" I take it to mean you are using ezjail.
Create an jail named seed, install everything you want all other jails 
to have. Archive that jail. Create all your other jails using that 
archive seed jail as input.

For ca update: build script to copy all the updated host ca files to the 
path of each jail ca location.

More information about the freebsd-questions mailing list