Date: Thu, 25 Feb 2021 13:30:26 -0500 From: "James B. Byrne" <byrnejb@harte-lyne.ca> To: "Andrea Venturoli" <ml@netfence.it> Cc: freebsd-questions@freebsd.org Subject: Re: SSL Certificates in base Message-ID: <3e5785862e9208f26fe9b95106120a44.squirrel@webmail.harte-lyne.ca> In-Reply-To: <mailman.80.1614168002.62837.freebsd-questions@freebsd.org> References: <mailman.80.1614168002.62837.freebsd-questions@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
We provide our own CAs and in consequence our certificates are not part of the
ca_root_nss package. What we did was to produce our own ca_bundle, but it in
/usr/local/share/certs and append these to the bundle installed by ca_root_nss.
We have a script that manages this for us that needs to be run after each nss
update:
cat bin/mv_nss_cert.sh
#!/usr/local/bin/bash
# mv_nss_cert.sh 2019-03-24 JBB
mv /usr/local/share/certs/ca-root-nss.crt \
/usr/local/share/certs/ca-root-nss.crt-$(date +"%Y%m%d") ;\
cat /usr/local/share/certs/ca-root-nss.crt-$(date +"%Y%m%d") \
/usr/local/share/certs/CA_HLL_PKI_2016_ca-bundle.crt \
/usr/local/share/certs/CA_HLL_PKI_2008_ca-bundle.crt \
> /usr/local/share/certs/ca-root-nss.crt && \
cp -p /usr/local/share/certs/ca-root-nss.crt \
/usr/local/share/certs/ca-root-nss-hll.crt && \
cp -p /usr/local/share/certs/ca-root-nss-hll.crt \
/usr/local/etc/pki/tls/certs/ && \
cp -p /usr/local/share/certs/ca-root-nss-hll.crt \
/usr/local/etc/pki/tls/certs/ca-bundle.crt
#EOF
We use /usr/local/etc/pki/tls/ for our application specific keys and certs,
which is why that part of the script exists. You can just delete the last two
cps. The script saves the original updated nss ca_bundle with a date stamp
appended to the file name. It then appends our ca bundle to the update bundle
and copies that file to a local version.
The locations of application certs and keys are specific to each application.
Typically these locations are configured in application specific .conf files.
What we add to the nss bundle simply allows certs issued by our CAs to be
recognized as trusted.
On Wed, February 24, 2021 03:57, Andrea Venturoli wrote:
> Hello again.
>
> Sorry if this a dumb question or FAQ: I tried, but failed to find any
> official documentation on this.
>
> In the past, I've always installed security/ca_root_nss to let SSL work,
> as there were no CA certificates in base.
> 12.2 (and possibly older 12.x, I don't know) already provide several
> certificates in /usr/share/certs/trusted.
>
> How are we expected to deal with this?
> Is security/ca_root_nss still needed/suggested?
> Is it expected to be obsoleted (although easier to update)?
>
> What's the correct procedure to add additional certificates?
> I guess just dropping them in /usr/share/certs/trusted won't be enough...
>
> bye & Thanks
> av.
>
>
--
*** e-Mail is NOT a SECURE channel ***
Do NOT transmit sensitive data via e-Mail
Unencrypted messages have no legal claim to privacy
Do NOT open attachments nor follow links sent by e-Mail
James B. Byrne mailto:ByrneJB@Harte-Lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3e5785862e9208f26fe9b95106120a44.squirrel>