From owner-freebsd-questions@FreeBSD.ORG Mon Aug 30 13:08:16 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1A2761065679 for ; Mon, 30 Aug 2010 13:08:16 +0000 (UTC) (envelope-from sabbasth@semene.fr) Received: from mail.semene.fr (mail.semene.fr [91.121.170.160]) by mx1.freebsd.org (Postfix) with ESMTP id 841768FC12 for ; Mon, 30 Aug 2010 13:08:15 +0000 (UTC) Received: from [10.1.8.123] (LAubervilliers-153-52-12-153.w217-128.abo.wanadoo.fr [217.128.107.153]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: bastien@semene.fr) by mail.semene.fr (Postfix) with ESMTPSA id ED9349247E1 for ; Mon, 30 Aug 2010 14:48:18 +0200 (CEST) Message-ID: <4C7BA892.1040705@semene.fr> Date: Mon, 30 Aug 2010 14:48:18 +0200 From: Bastien Semene User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.2.8) Gecko/20100802 Lightning/1.0b2 Thunderbird/3.1.2 MIME-Version: 1.0 To: freebsd-questions@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Add a SSL certificate authority X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Aug 2010 13:08:16 -0000 Hello, I'm trying to add a certificate authority unsuccessfully. The Equifax certificates authority seems not to be registered in FreeBSD, so I tried to add it on my server. I'm logged in root and in its homedir. #uname -a FreeBSD svn.cyanide-studio.com 8.1-RELEASE FreeBSD 8.1-RELEASE #0: Fri Aug 6 09:37:33 CEST 2010 root@dungeon2.cyanide-studio.com:/usr/obj/usr/src/sys/GEOM i386 #fetch -o Equifax_Secure_Global_eBusiness_CA-1.pem http://www.geotrust.com/resources/root_certificates/certificates/Equifax_Secure_Global_eBusiness_CA-1.cer #cd /usr/src/crypto/openssl/tools #chmod u+x c_rehash #./c_rehash ~/ Doing /root/ Equifax_Secure_Global_eBusiness_CA-1.pem => 74c2 6bd0.0 My goal being to checkout an SVN repository, I re-launch the command : # svn co https://svn.cyanide-studio.com/admin admin-svn [root@backup] Error validating server certificate for 'https://svn.cyanide-studio.com:443': - The certificate is not issued by a trusted authority. Use the fingerprint to validate the certificate manually! Certificate information: - Hostname: *.cyanide-studio.com - Valid: from Sun, 22 Aug 2010 13:04:24 GMT until Thu, 25 Aug 2011 22:05:01 GMT - Issuer: Equifax Secure Certificate Authority, Equifax, US - Fingerprint: ed:6d:1f:6c:d4:93:e9:68:44:1c:b2:68:a1:bb:50:b5:af:0e:16:12 (R)eject, accept (t)emporarily or accept (p)ermanently? R svn: OPTIONS of 'https://svn.cyanide-studio.com/admin': Server certificate verification failed: issuer is not trusted (https://svn.cyanide-studio.com) I've also seen this in the source code of c_rehash : while(exists $hashlist{"$hash.r$suffix"}) { # Hash matches: if fingerprint matches its a duplicate cert if($hashlist{"$hash.r$suffix"} eq $fprint) { print STDERR "WARNING: Skipping duplicate CRL $fname\n"; return; } $suffix++; } But if I launch the command twice, it still seems to indicate that it's adding the CA. I'm not sure if I do it correctly, but found nothing more relevant on google and in the freebsd's handbook. Can someone point me a good way to add a CA ? Best Regards, Bastien Semene