Add a SSL certificate authority

0 views

Skip to first unread message

Bastien Semene

unread,

Aug 30, 2010, 8:48:18 AM8/30/10

to freebsd-...@freebsd.org

Hello,

I'm trying to add a certificate authority unsuccessfully.
The Equifax certificates authority seems not to be registered in
FreeBSD, so I tried to add it on my server.
I'm logged in root and in its homedir.

#uname -a
FreeBSD svn.cyanide-studio.com 8.1-RELEASE FreeBSD 8.1-RELEASE #0: Fri
Aug 6 09:37:33 CEST 2010
ro...@dungeon2.cyanide-studio.com:/usr/obj/usr/src/sys/GEOM i386

#fetch -o Equifax_Secure_Global_eBusiness_CA-1.pem
http://www.geotrust.com/resources/root_certificates/certificates/Equifax_Secure_Global_eBusiness_CA-1.cer

#cd /usr/src/crypto/openssl/tools
#chmod u+x c_rehash
#./c_rehash ~/
Doing /root/
Equifax_Secure_Global_eBusiness_CA-1.pem => 74c2 6bd0.0

My goal being to checkout an SVN repository, I re-launch the command :

# svn co https://svn.cyanide-studio.com/admin
admin-svn
[root@backup]
Error validating server certificate for
'https://svn.cyanide-studio.com:443':
- The certificate is not issued by a trusted authority. Use the
fingerprint to validate the certificate manually!
Certificate information:
- Hostname: *.cyanide-studio.com
- Valid: from Sun, 22 Aug 2010 13:04:24 GMT until Thu, 25 Aug 2011
22:05:01 GMT
- Issuer: Equifax Secure Certificate Authority, Equifax, US
- Fingerprint:
ed:6d:1f:6c:d4:93:e9:68:44:1c:b2:68:a1:bb:50:b5:af:0e:16:12
(R)eject, accept (t)emporarily or accept (p)ermanently? R
svn: OPTIONS of 'https://svn.cyanide-studio.com/admin': Server
certificate verification failed: issuer is not trusted
(https://svn.cyanide-studio.com)

I've also seen this in the source code of c_rehash :
while(exists $hashlist{"$hash.r$suffix"}) {
# Hash matches: if fingerprint matches its a
duplicate cert
if($hashlist{"$hash.r$suffix"} eq $fprint) {
print STDERR "WARNING: Skipping
duplicate CRL $fname\n";
return;
}
$suffix++;
}

But if I launch the command twice, it still seems to indicate that it's
adding the CA.

I'm not sure if I do it correctly, but found nothing more relevant on
google and in the freebsd's handbook.
Can someone point me a good way to add a CA ?

Best Regards,
Bastien Semene
_______________________________________________
freebsd-...@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questi...@freebsd.org"

Eric Masson

unread,

Aug 30, 2010, 10:51:06 AM8/30/10

to Bastien Semene, freebsd-...@freebsd.org

Bastien Semene <sabb...@semene.fr> writes:

Hi,

> I'm trying to add a certificate authority unsuccessfully.
> The Equifax certificates authority seems not to be registered in
> FreeBSD, so I tried to add it on my server.

You can use the security/ca_root_nss port to retrieve the Mozilla
Project root CA list and then configure the apps that need/require it.

> I'm not sure if I do it correctly, but found nothing more relevant on
> google and in the freebsd's handbook.

This is a svn issue, not a FreeBSD one, check this section of the svn
book :
http://svnbook.red-bean.com/nightly/en/svn.advanced.confarea.html#svn.advanced.confarea.opts.servers
or
http://svnbook.red-bean.com/nightly/fr/svn.advanced.confarea.html#svn.advanced.confarea.opts.servers

Then adapt ssl-authority-files directive in [global] section of your
local or system-wide subversion "servers" file.

ï¿œric Masson

--
> Seriez gentils de garder "Hordes" ou "moutons" dans le sujet de vos
> enfilades "dï¿œbiles" ; comme ï¿œa, je peux demander ï¿œ OE de les
> filtrer.
-+- NM in Guide du linuxien pervers - "Bien configurer sa secrï¿œtaire"

Reply all

Reply to author

Forward

0 new messages