From owner-freebsd-questions@freebsd.org Thu Feb 25 18:30:35 2021 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id AEE2156C024 for ; Thu, 25 Feb 2021 18:30:35 +0000 (UTC) (envelope-from byrnejb@harte-lyne.ca) Received: from mx32.harte-lyne.ca (mx32.harte-lyne.ca [216.185.71.32]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mx32.harte-lyne.ca", Issuer "CA_HLL_ISSUER_2016" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4DmhDT2ydTz59Ds for ; Thu, 25 Feb 2021 18:30:32 +0000 (UTC) (envelope-from byrnejb@harte-lyne.ca) Received: from mx32.harte-lyne.ca (localhost [127.0.32.1]) by mx32.harte-lyne.ca (Postfix) with ESMTP id 4A1355B546; Thu, 25 Feb 2021 13:30:28 -0500 (EST) X-Virus-Scanned: amavisd-new at harte-lyne.ca Received: from mx32.harte-lyne.ca ([127.0.32.1]) by mx32.harte-lyne.ca (mx32.harte-lyne.ca [127.0.32.1]) (amavisd-new, port 10024) with ESMTP id vk8WMyIbKm36; Thu, 25 Feb 2021 13:30:26 -0500 (EST) Received: from webmail.harte-lyne.ca (webmail.hamilton.harte-lyne.ca [216.185.71.106]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mx32.harte-lyne.ca (Postfix) with ESMTPSA id BA20E5B53B; Thu, 25 Feb 2021 13:30:25 -0500 (EST) Received: from 216.185.71.41 (SquirrelMail authenticated user byrnejb_hll) by webmail.harte-lyne.ca with HTTP; Thu, 25 Feb 2021 13:30:26 -0500 Message-ID: <3e5785862e9208f26fe9b95106120a44.squirrel@webmail.harte-lyne.ca> In-Reply-To: References: Date: Thu, 25 Feb 2021 13:30:26 -0500 Subject: Re: SSL Certificates in base From: "James B. Byrne" To: "Andrea Venturoli" Cc: freebsd-questions@freebsd.org Reply-To: byrnejb@harte-lyne.ca User-Agent: SquirrelMail/1.4.23 [SVN] MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-Rspamd-Queue-Id: 4DmhDT2ydTz59Ds X-Spamd-Bar: ----- X-Spamd-Result: default: False [-5.70 / 15.00]; HAS_REPLYTO(0.00)[byrnejb@harte-lyne.ca]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:216.185.71.0/26]; REPLYTO_ADDR_EQ_FROM(0.00)[]; RCVD_DKIM_ARC_DNSWL_MED(-0.50)[]; RCVD_IN_DNSWL_MED(-0.20)[216.185.71.32:from]; RCPT_COUNT_TWO(0.00)[2]; HAS_X_PRIO_THREE(0.00)[3]; DKIM_TRACE(0.00)[harte-lyne.ca:+]; DMARC_POLICY_ALLOW(-0.50)[harte-lyne.ca,quarantine]; NEURAL_HAM_SHORT(-1.00)[-1.000]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:12021, ipnet:216.185.64.0/20, country:CA]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; RCVD_COUNT_FIVE(0.00)[5]; R_DKIM_ALLOW(-0.20)[harte-lyne.ca:s=dkim_hll]; FROM_HAS_DN(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; DWL_DNSWL_LOW(-1.00)[harte-lyne.ca:dkim]; TO_MATCH_ENVRCPT_SOME(0.00)[]; MAILMAN_DEST(0.00)[freebsd-questions] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Feb 2021 18:30:35 -0000 We provide our own CAs and in consequence our certificates are not part of the ca_root_nss package. What we did was to produce our own ca_bundle, but it in /usr/local/share/certs and append these to the bundle installed by ca_root_nss. We have a script that manages this for us that needs to be run after each nss update: cat bin/mv_nss_cert.sh #!/usr/local/bin/bash # mv_nss_cert.sh 2019-03-24 JBB mv /usr/local/share/certs/ca-root-nss.crt \ /usr/local/share/certs/ca-root-nss.crt-$(date +"%Y%m%d") ;\ cat /usr/local/share/certs/ca-root-nss.crt-$(date +"%Y%m%d") \ /usr/local/share/certs/CA_HLL_PKI_2016_ca-bundle.crt \ /usr/local/share/certs/CA_HLL_PKI_2008_ca-bundle.crt \ > /usr/local/share/certs/ca-root-nss.crt && \ cp -p /usr/local/share/certs/ca-root-nss.crt \ /usr/local/share/certs/ca-root-nss-hll.crt && \ cp -p /usr/local/share/certs/ca-root-nss-hll.crt \ /usr/local/etc/pki/tls/certs/ && \ cp -p /usr/local/share/certs/ca-root-nss-hll.crt \ /usr/local/etc/pki/tls/certs/ca-bundle.crt #EOF We use /usr/local/etc/pki/tls/ for our application specific keys and certs, which is why that part of the script exists. You can just delete the last two cps. The script saves the original updated nss ca_bundle with a date stamp appended to the file name. It then appends our ca bundle to the update bundle and copies that file to a local version. The locations of application certs and keys are specific to each application. Typically these locations are configured in application specific .conf files. What we add to the nss bundle simply allows certs issued by our CAs to be recognized as trusted. On Wed, February 24, 2021 03:57, Andrea Venturoli wrote: > Hello again. > > Sorry if this a dumb question or FAQ: I tried, but failed to find any > official documentation on this. > > In the past, I've always installed security/ca_root_nss to let SSL work, > as there were no CA certificates in base. > 12.2 (and possibly older 12.x, I don't know) already provide several > certificates in /usr/share/certs/trusted. > > How are we expected to deal with this? > Is security/ca_root_nss still needed/suggested? > Is it expected to be obsoleted (although easier to update)? > > What's the correct procedure to add additional certificates? > I guess just dropping them in /usr/share/certs/trusted won't be enough... > > bye & Thanks > av. > > -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Unencrypted messages have no legal claim to privacy Do NOT open attachments nor follow links sent by e-Mail James B. Byrne mailto:ByrneJB@Harte-Lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3