From owner-freebsd-questions@FreeBSD.ORG Mon Mar 9 14:12:53 2015 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 0F2C7DF6 for ; Mon, 9 Mar 2015 14:12:53 +0000 (UTC) Received: from mail-yh0-x22d.google.com (mail-yh0-x22d.google.com [IPv6:2607:f8b0:4002:c01::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id BB59AE59 for ; Mon, 9 Mar 2015 14:12:52 +0000 (UTC) Received: by yhoa41 with SMTP id a41so36144577yho.9 for ; Mon, 09 Mar 2015 07:12:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=m0l1ZIVzJ1QVozBUnCM4V7BB/Wn76oeODd64IIaV4gw=; b=i5Gi2KpHO+0N+qux66w2qpVKUu/pwwnQJy8dTkYJewi99Y9r99ihtHJITogA77DZFB 3Fu5H6bOWtpYuJ7S4UPCri9vMJHcCvQArX0nR+XRW0Bmy9OgNjvjOA+V8+wGtrnsbZ0y UzPmKp+KN4y3GwYZ7/tJk9rxNhRyNi7rWnYEwKemQJng5zSOktwWh4AwXPxKyxrAYrOH bWOSf+XE7cgFy3GEugXKZwqXzYvxCyfjRC4QQZ7qN0OXJJ2DyRPqh+wCSbMSUSMvljhQ e/AFOI743qxRYBrCMQ2mqLTXFPY9DbywkS2t9zg19HCTu0YwNhb8mN0Gi/ZZM4AWbfK1 h92A== MIME-Version: 1.0 X-Received: by 10.236.103.166 with SMTP id f26mr26526919yhg.187.1425910371859; Mon, 09 Mar 2015 07:12:51 -0700 (PDT) Received: by 10.170.188.1 with HTTP; Mon, 9 Mar 2015 07:12:51 -0700 (PDT) In-Reply-To: References: Date: Mon, 9 Mar 2015 14:12:51 +0000 Message-ID: Subject: Re: Adding a root CA cert on FreeBSD10 From: krad To: Florian Heigl Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 Cc: FreeBSD Questions X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Mar 2015 14:12:53 -0000 I got mine working fine when i built a transparent ssl proxy. I had to put all the root certs into /etc/ssl/certs The filenames had to be a the hash of the cert though. This can be generated via the following command openssl x509 -noout -hash -in eg # openssl x509 -noout -hash -in some_cert 0810bc98 # mv some_cert /etc/ssl/certs/0810bc98.o On 8 March 2015 at 18:26, Florian Heigl wrote: > Hi, > > I'm trying to identify how and where to add a trusted root certificate in > FreeBSD10. > > Doing so used to be dead easy on FreeBSD until now, just drop them in > /usr/local/etc/ssl/certs or even /etc/ssl/certs and it worked. > This seems to be no longer true? > > I'm working with CACert or "private" CAs in many cases, so this is a > standard thing. Right now I'm pulling my hair how to make it work in > FreeBSD 10. > > What I want: > - openssl s_client -connect to work > > I'm aware different tools are using different methods, but i.e. curl on > many OS is tamed to respect the openssl CAs so I figure once openssl is > happy it should be all good. > But OpenSSL ain't happy: > > > # openssl s_client -connect demoserver:443 | grep -i -e issuer -e verify > depth=1 O = Root CA, OU = http://www.cacert.org, CN = CA Cert Signing > Authority, emailAddress = support@cacert.org > verify error:num=19:self signed certificate in certificate chain > verify return:0 > issuer=/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing > Authority/emailAddress=support@cacert.org > Verify return code: 19 (self signed certificate in certificate chain) > > I've put the CACert certificates in the following places, to no avail: > > /etc/ssl/certs/cacert-class3.crt > /etc/ssl/certs/cacert-root.crt > /usr/local/etc/ssl/cacert-root.crt > /usr/local/etc/ssl/certs/cacert-root.crt > /usr/local/etc/ssl/certs/cacert-class3.crt > /usr/local/etc/ssl/cacert-class3.crt > /usr/local/etc/openssl/cacert-class3.crt > /usr/local/etc/openssl/cacert-root.crt > /usr/local/etc/openssl/certs/cacert-class3.crt > /usr/local/etc/openssl/certs/cacert-root.crt > > I've not tried to patch them into the OS-side CA bundles > like ca_root_nss-3.17.4_1. That would be utterly stupid since they would be > lost on update of the package. > > Is there any documentation regarding certs that is _working_ on FreeBSD10? > I'm so far still inclined the error is on my side, but without current > documentation it's hard to tell. > > > Florian > > > (I hope we didn't inherit another shitty linux mechanism like hal, > update-ca-certs or resolvconf to break proven functionality. > If so, please let me know what it is and I'll gladly open a PR to name it a > regression. > Also, please excuse my lack of enthusiasm, but this has ruined much of my > day meaning the coming week will also be ruined, trying to catch up) > > > > -- > the purpose of libvirt is to provide an abstraction layer hiding all xen > features added since 2006 until they were finally understood and copied by > the kvm devs. > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to " > freebsd-questions-unsubscribe@freebsd.org" >