Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Adding a root CA cert on FreeBSD10
0 views
Skip to first unread message
Florian Heigl
Mar 8, 2015, 2:26:17 PM3/8/15
to
Hi,
I'm trying to identify how and where to add a trusted root certificate in
FreeBSD10.
Doing so used to be dead easy on FreeBSD until now, just drop them in
/usr/local/etc/ssl/certs or even /etc/ssl/certs and it worked.
This seems to be no longer true?
I'm working with CACert or "private" CAs in many cases, so this is a
standard thing. Right now I'm pulling my hair how to make it work in
FreeBSD 10.
What I want:
- openssl s_client -connect to work
I'm aware different tools are using different methods, but i.e. curl on
many OS is tamed to respect the openssl CAs so I figure once openssl is
happy it should be all good.
But OpenSSL ain't happy:
# openssl s_client -connect demoserver:443 | grep -i -e issuer -e verify
depth=1 O = Root CA, OU = http://www.cacert.org, CN = CA Cert Signing
Authority, emailAddress = sup...@cacert.org
verify error:num=19:self signed certificate in certificate chain
verify return:0
issuer=/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing
Authority/emailAddress=sup...@cacert.org
Verify return code: 19 (self signed certificate in certificate chain)
I've put the CACert certificates in the following places, to no avail:
/etc/ssl/certs/cacert-class3.crt
/etc/ssl/certs/cacert-root.crt
/usr/local/etc/ssl/cacert-root.crt
/usr/local/etc/ssl/certs/cacert-root.crt
/usr/local/etc/ssl/certs/cacert-class3.crt
/usr/local/etc/ssl/cacert-class3.crt
/usr/local/etc/openssl/cacert-class3.crt
/usr/local/etc/openssl/cacert-root.crt
/usr/local/etc/openssl/certs/cacert-class3.crt
/usr/local/etc/openssl/certs/cacert-root.crt
I've not tried to patch them into the OS-side CA bundles
like ca_root_nss-3.17.4_1. That would be utterly stupid since they would be
lost on update of the package.
Is there any documentation regarding certs that is _working_ on FreeBSD10?
I'm so far still inclined the error is on my side, but without current
documentation it's hard to tell.
Florian
(I hope we didn't inherit another shitty linux mechanism like hal,
update-ca-certs or resolvconf to break proven functionality.
If so, please let me know what it is and I'll gladly open a PR to name it a
regression.
Also, please excuse my lack of enthusiasm, but this has ruined much of my
day meaning the coming week will also be ruined, trying to catch up)
--
the purpose of libvirt is to provide an abstraction layer hiding all xen
features added since 2006 until they were finally understood and copied by
the kvm devs.
_______________________________________________
freebsd-...@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questi...@freebsd.org"
I'm trying to identify how and where to add a trusted root certificate in
FreeBSD10.
Doing so used to be dead easy on FreeBSD until now, just drop them in
/usr/local/etc/ssl/certs or even /etc/ssl/certs and it worked.
This seems to be no longer true?
I'm working with CACert or "private" CAs in many cases, so this is a
standard thing. Right now I'm pulling my hair how to make it work in
FreeBSD 10.
What I want:
- openssl s_client -connect to work
I'm aware different tools are using different methods, but i.e. curl on
many OS is tamed to respect the openssl CAs so I figure once openssl is
happy it should be all good.
But OpenSSL ain't happy:
# openssl s_client -connect demoserver:443 | grep -i -e issuer -e verify
depth=1 O = Root CA, OU = http://www.cacert.org, CN = CA Cert Signing
Authority, emailAddress = sup...@cacert.org
verify error:num=19:self signed certificate in certificate chain
verify return:0
issuer=/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing
Authority/emailAddress=sup...@cacert.org
Verify return code: 19 (self signed certificate in certificate chain)
I've put the CACert certificates in the following places, to no avail:
/etc/ssl/certs/cacert-class3.crt
/etc/ssl/certs/cacert-root.crt
/usr/local/etc/ssl/cacert-root.crt
/usr/local/etc/ssl/certs/cacert-root.crt
/usr/local/etc/ssl/certs/cacert-class3.crt
/usr/local/etc/ssl/cacert-class3.crt
/usr/local/etc/openssl/cacert-class3.crt
/usr/local/etc/openssl/cacert-root.crt
/usr/local/etc/openssl/certs/cacert-class3.crt
/usr/local/etc/openssl/certs/cacert-root.crt
I've not tried to patch them into the OS-side CA bundles
like ca_root_nss-3.17.4_1. That would be utterly stupid since they would be
lost on update of the package.
Is there any documentation regarding certs that is _working_ on FreeBSD10?
I'm so far still inclined the error is on my side, but without current
documentation it's hard to tell.
Florian
(I hope we didn't inherit another shitty linux mechanism like hal,
update-ca-certs or resolvconf to break proven functionality.
If so, please let me know what it is and I'll gladly open a PR to name it a
regression.
Also, please excuse my lack of enthusiasm, but this has ruined much of my
day meaning the coming week will also be ruined, trying to catch up)
--
the purpose of libvirt is to provide an abstraction layer hiding all xen
features added since 2006 until they were finally understood and copied by
the kvm devs.
_______________________________________________
freebsd-...@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questi...@freebsd.org"
krad
Mar 9, 2015, 10:13:01 AM3/9/15
to
I got mine working fine when i built a transparent ssl proxy. I had to put
all the root certs into /etc/ssl/certs
The filenames had to be a the hash of the cert though. This can be
generated via the following command
openssl x509 -noout -hash -in <cert>
eg
# openssl x509 -noout -hash -in some_cert
0810bc98
# mv some_cert /etc/ssl/certs/0810bc98.o
all the root certs into /etc/ssl/certs
The filenames had to be a the hash of the cert though. This can be
generated via the following command
openssl x509 -noout -hash -in <cert>
eg
# openssl x509 -noout -hash -in some_cert
0810bc98
# mv some_cert /etc/ssl/certs/0810bc98.o
Florian Heigl
Mar 9, 2015, 12:28:23 PM3/9/15
to
Hi,
thank you a lot!
I’ll try adding hashed versions, i.e. with ln -s my_ca_cert hash.0
Do you know / understand the preference between the different directories on FreeBSD?
I very much like using /etc/ssl/certs but since we also have the /usr/local/etc/ssl and /usr/share.. and /usr/local/openssl paths I really wonder what the “right” path would be.
Anyone?
Florian
thank you a lot!
I’ll try adding hashed versions, i.e. with ln -s my_ca_cert hash.0
Do you know / understand the preference between the different directories on FreeBSD?
I very much like using /etc/ssl/certs but since we also have the /usr/local/etc/ssl and /usr/share.. and /usr/local/openssl paths I really wonder what the “right” path would be.
Anyone?
Florian
0 new messages