SSL Certificates in base

James B. Byrne byrnejb at harte-lyne.ca
Thu Feb 25 18:30:35 UTC 2021 

We provide our own CAs and in consequence our certificates are not part of the
ca_root_nss package.  What we did was to produce our own ca_bundle, but it in
/usr/local/share/certs and append these to the bundle installed by ca_root_nss.
 We have a script that manages this for us that needs to be run after each nss
update:

cat bin/mv_nss_cert.sh
#!/usr/local/bin/bash
# mv_nss_cert.sh 2019-03-24 JBB
mv  /usr/local/share/certs/ca-root-nss.crt \
    /usr/local/share/certs/ca-root-nss.crt-$(date +"%Y%m%d") ;\
cat /usr/local/share/certs/ca-root-nss.crt-$(date +"%Y%m%d") \
    /usr/local/share/certs/CA_HLL_PKI_2016_ca-bundle.crt \
    /usr/local/share/certs/CA_HLL_PKI_2008_ca-bundle.crt \
    > /usr/local/share/certs/ca-root-nss.crt && \
cp -p /usr/local/share/certs/ca-root-nss.crt \
      /usr/local/share/certs/ca-root-nss-hll.crt && \
cp -p /usr/local/share/certs/ca-root-nss-hll.crt \
      /usr/local/etc/pki/tls/certs/  && \
cp -p /usr/local/share/certs/ca-root-nss-hll.crt \
      /usr/local/etc/pki/tls/certs/ca-bundle.crt
#EOF


We use /usr/local/etc/pki/tls/ for our application specific keys and certs,
which is why that part of the script exists.   You can just delete the last two
cps.  The script saves the original updated nss ca_bundle with a date stamp
appended to the file name. It then appends our ca bundle to the update bundle
and copies that file to a local version.

The locations of application certs and keys are specific to each application. 
Typically these locations are configured in application specific .conf files.
What we add to the nss bundle simply allows certs issued by our CAs to be
recognized as trusted.



On Wed, February 24, 2021 03:57, Andrea Venturoli wrote:
> Hello again.
>
> Sorry if this a dumb question or FAQ: I tried, but failed to find any
> official documentation on this.
>
> In the past, I've always installed security/ca_root_nss to let SSL work,
> as there were no CA certificates in base.
> 12.2 (and possibly older 12.x, I don't know) already provide several
> certificates in /usr/share/certs/trusted.
>
> How are we expected to deal with this?
> Is security/ca_root_nss still needed/suggested?
> Is it expected to be obsoleted (although easier to update)?
>
> What's the correct procedure to add additional certificates?
> I guess just dropping them in /usr/share/certs/trusted won't be enough...
>
>   bye & Thanks
> 	av.
>
>


-- 
***          e-Mail is NOT a SECURE channel          ***
        Do NOT transmit sensitive data via e-Mail
   Unencrypted messages have no legal claim to privacy
 Do NOT open attachments nor follow links sent by e-Mail

James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3

More information about the freebsd-questions mailing list