Where are the CA certificates in Solaris 10?
Gary Mills
to the CA (root) certificates. Where are these located in Solaris 10?
I've found the openssl, apache, and apache2 directories, but the CA
certificates are not there. Where are they?
--
-Gary Mills- -Unix Support- -U of M Academic Computing and Networking-
Richard B. Gilbert
> I've been configuring the alpine e-mail reader, which requires access
> to the CA (root) certificates. Where are these located in Solaris 10?
> I've found the openssl, apache, and apache2 directories, but the CA
> certificates are not there. Where are they?
>
>
Does Solaris ship with "CA certificates"???? I never encountered any
although since I didn't need them I never looked.
Can you generate your own or download them from somewhere?
Does man -k certificate help?
Gary Mills
>Gary Mills wrote:
>> I've been configuring the alpine e-mail reader, which requires access
>> to the CA (root) certificates. Where are these located in Solaris 10?
>> I've found the openssl, apache, and apache2 directories, but the CA
>> certificates are not there. Where are they?
>Does Solaris ship with "CA certificates"???? I never encountered any
>although since I didn't need them I never looked.
I'm assuming it must, since they are so widely used.
>Can you generate your own or download them from somewhere?
That's plan B. Plan A is to have the vendor maintain them.
>Does man -k certificate help?
No, there's no index.
Richard B. Gilbert
Why not build the index? See man catman.
Dave Uhring
MANPATH=/usr/share/man:/usr/sfw/share/man; export MANPATH
catman -w
man -k certificate | wc -l
1319
usenetper...@gmail.com
You got more than me : >
I took a different tack:
man -k certificate| grep -i dir
crypto_certs crypto_certs (4) - directory for certificate files
for Solaris Cryptographic Framework
Hmm sounds promising
man crypto_certs - and there they are.
But are they the "right" ones for the OP??
Gary Mills
No, they're not. I already looked there. I also looked in
/etc/sfw/openssl/certs . That one sounds even more promising,
but it's empty. Surely there must already be SSL clients on
Solaris that require CA cerfificates.
Wayne
How about using:
# find / -name \*.pem -o -name \*.crt
-Wayne
Dave Uhring
> On Feb 2, 4:32 pm, Dave Uhring <daveuhr...@yahoo.com> wrote:
>> MANPATH=/usr/share/man:/usr/sfw/share/man; export MANPATH
>> catman -w
>> man -k certificate | wc -l
>> 1319
>
> You got more than me : >
Actually, my MANPATH is quite a bit longer than that example :-)
Chris Ridd
> No, they're not. I already looked there. I also looked in
> /etc/sfw/openssl/certs . That one sounds even more promising,
> but it's empty. Surely there must already be SSL clients on
> Solaris that require CA cerfificates.
They probably each have their own private collection of CA certs
installed. I'm thinking primarily of Firefox and Thunderbird here, but
I wouldn't be shocked if other clients did the same.
Cheers,
Chris
Dave Uhring
> No, they're not. I already looked there. I also looked in
> /etc/sfw/openssl/certs . That one sounds even more promising,
> but it's empty. Surely there must already be SSL clients on
> Solaris that require CA cerfificates.
There are a number of locations for storing .pems and .crts. The
directory /etc/sfw/openssl/certs is something of a catchall which could be
used by alpine if you were interested in using TLS in your MUA.
The configuration option you are seeing is only that, an option which is
not required for compilation of the sources. If you have such certs the
alpine configure script will look for them in /etc/pki/tls, otherwise that
optional argument to the script will define their location.
If you want to generate your own certs, the following from the OpenBSD
ssl(8) man page might be useful:
Generating a DSA certificate involves several steps. First, you generate
a DSA parameter set with a command like the following:
# openssl dsaparam 1024 -out dsa1024.pem
Would generate DSA parameters for 1024 bit DSA keys, and save them to the
file dsa1024.pem.
Once you have the DSA parameters generated, you can generate a certifi-
cate and unencrypted private key using the command:
# openssl req -x509 -nodes -newkey dsa:dsa1024.pem \
-out /etc/ssl/dsacert.pem -keyout /etc/ssl/private/dsakey.pem
To generate an encrypted private key, you would use:
# openssl req -x509 -newkey dsa:dsa1024.pem \
-out /etc/ssl/dsacert.pem -keyout /etc/ssl/private/dsakey.pem
Gary Mills
>On Sun, 03 Feb 2008 01:07:28 +0000, Gary Mills wrote:
>> No, they're not. I already looked there. I also looked in
>> /etc/sfw/openssl/certs . That one sounds even more promising,
>> but it's empty. Surely there must already be SSL clients on
>> Solaris that require CA cerfificates.
>There are a number of locations for storing .pems and .crts. The
>directory /etc/sfw/openssl/certs is something of a catchall which could be
>used by alpine if you were interested in using TLS in your MUA.
It's just an empty directory; I don't suppose I'd use it.
>The configuration option you are seeing is only that, an option which is
>not required for compilation of the sources. If you have such certs the
>alpine configure script will look for them in /etc/pki/tls, otherwise that
>optional argument to the script will define their location.
It actually looks in /etc/certs by default on Solaris 10. If there
are no CA certificates on Solaris 10, I suppose I'll put them
someplace with the rest of the alpine files, and point configure at
them.
>If you want to generate your own certs, the following from the OpenBSD
>ssl(8) man page might be useful:
No, I just want the standard CA bundle. I thought it was included
with apache, apache2, or openssl, all of which are installed on
Solaris 10.
Dave Uhring
The apache and apache2 cert directories are also empty. You can use
openssl to generate self-signed certificates or certificate signing
requests for a recognized CA to sign.
That "standard" bundle, such as shipped with various Linux distros is just
what is generated in the compilation and testing of openssl. The certs
are useless for anything else.
Blastwave ships some certs with their version of openssl. Perhaps you
would be interested in them. Or you could even grab the certs from some
Windows box and place them in some unobtrusive directory :-)
Doug McIntyre
>No, I just want the standard CA bundle. I thought it was included
>with apache, apache2, or openssl, all of which are installed on
>Solaris 10.
No, none of those packages has a standard collection of root CA bundle.
Some linux distributions add one taken from Mozilla/Firefox to some
system location, but AFAIK, nothing on Solaris was done like this.
usenetper...@gmail.com
> In <e92969f9-e53c-4ec7-b873-8dd5a71db...@e6g2000prf.googlegroups.com> usenetpersonger...@gmail.com writes:
>
>
>
> >On Feb 2, 4:32 pm, Dave Uhring <daveuhr...@yahoo.com> wrote:
> >> On Sat, 02 Feb 2008 23:27:03 +0000, Gary Mills wrote:
> >> > In <47A4E2E1.10...@comcast.net> "Richard B. Gilbert" <rgilber...@comcast.net> writes:
> >> >>Does man -k certificate help?
> >> > No, there's no index.
> >> MANPATH=/usr/share/man:/usr/sfw/share/man; export MANPATH
> >> catman -w
> >> man -k certificate | wc -l
> >> 1319
> >You got more than me : >
> >I took a different tack:
> >man -k certificate| grep -i dir
> >crypto_certs crypto_certs (4) - directory for certificate files
> >for Solaris Cryptographic Framework
> >Hmm sounds promising
> >man crypto_certs - and there they are.
> >But are they the "right" ones for the OP??
> No, they're not. I already looked there.
What - do you you dont want those certs or the directory is empty? : >
> I also looked in
> /etc/sfw/openssl/certs . That one sounds even more promising,
> but it's empty. Surely there must already be SSL clients on
> Solaris that require CA cerfificates.
The populated directory contents I have belong to package SUNWcsr.
I certainly did not put them there:
gerryt@gcs:/etc/certs $ l
total 14
-rw-r--r-- 2 root sys 2778 Aug 8 19:13 SUNWObjectCA
-rw-r--r-- 1 root sys 1683 Jan 21 2005 SUNWSolarisCA
-rw-r--r-- 1 root sys 1513 Jan 21 2005 SUNW_SunOS_5.10
Chris Mattern
> In <47A4E2E...@comcast.net> "Richard B. Gilbert" <rgilb...@comcast.net> writes:
>
>>Gary Mills wrote:
>>> I've been configuring the alpine e-mail reader, which requires access
>>> to the CA (root) certificates. Where are these located in Solaris 10?
>>> I've found the openssl, apache, and apache2 directories, but the CA
>>> certificates are not there. Where are they?
>
>>Does Solaris ship with "CA certificates"???? I never encountered any
>>although since I didn't need them I never looked.
>
> I'm assuming it must, since they are so widely used.
>
me to approve their certificates, so there's got to be certs in there
somewhere.
--
Christopher Mattern
NOTICE
Thank you for noticing this new notice
Your noticing it has been noted
And will be reported to the authorities
Gary Mills
>On 2008-02-02, Gary Mills <mi...@cc.umanitoba.ca> wrote:
>> In <47A4E2E...@comcast.net> "Richard B. Gilbert" <rgilb...@comcast.net> writes:
>>
>>>Gary Mills wrote:
>>>> I've been configuring the alpine e-mail reader, which requires access
>>>> to the CA (root) certificates. Where are these located in Solaris 10?
>>>> I've found the openssl, apache, and apache2 directories, but the CA
>>>> certificates are not there. Where are they?
>>
>>>Does Solaris ship with "CA certificates"???? I never encountered any
>>>although since I didn't need them I never looked.
>>
>> I'm assuming it must, since they are so widely used.
>>
>Solaris provided Mozilla and Firefox accesses https sites without asking
>me to approve their certificates, so there's got to be certs in there
>somewhere.
I believe I found them, but they don't seem to be in a form that
OpenSSL clients can use directly. Otherwise, they'll be what I need.
The OpenSSL distribution includes a collection of CA certificates, but
they seem to have vanished in the version that's installed in Solaris
10.
Liam Greenwood
<mi...@cc.umanitoba.ca> wrote:
> I've been configuring the alpine e-mail reader, which requires access
> to the CA (root) certificates. Where are these located in Solaris 10?
> I've found the openssl, apache, and apache2 directories, but the CA
> certificates are not there. Where are they?
Try this:
# keytool -export -storepass changeit -alias verisignclass2g2ca \
-keystore /usr/java/jre/lib/security/cacerts -file /tmp/root.crt
Certificate stored in file </tmp/root.crt>
That pulls the CA certs from the Java jre. Sun's package/patch
systems uses this trick to get the CA certs so that things like
smpatch can do ssl to Sun (see
http://docs.sun.com/app/docs/doc/817-1985/6mhm8o5vv?a=view).
Hope that gets you further down the line.
Cheers, Liam
in4...@gmail.com
cd /etc/sfw/openssl/certs
for alias in $(keytool -storepass changeit -list -keystore /usr/java/jre/lib/security/cacerts | fgrep
trustedCertEntry | cut -d, -f1); do
keytool -storepass changeit -keystore /usr/java/jre/lib/security/cacerts
-export -alias $alias | openssl x509 -out $alias.pem -outform pem -text
-inform der
ln -s ./$alias.pem "./$(openssl x509 -noout -hash -in
$alias.pem).0"
done
in4...@gmail.com
for alias in $(...); do
keytool ...
ln -s ...
done