Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 30 Aug 2010 14:48:18 +0200
From:      Bastien Semene <sabbasth@semene.fr>
To:        freebsd-questions@freebsd.org
Subject:   Add a SSL certificate authority
Message-ID:  <4C7BA892.1040705@semene.fr>
next in thread | raw e-mail | index | archive | help 
  Hello,

I'm trying to add a certificate authority unsuccessfully.
The Equifax certificates authority seems not to be registered in 
FreeBSD, so I tried to add it on my server.
I'm logged in root and in its homedir.

#uname -a
FreeBSD svn.cyanide-studio.com 8.1-RELEASE FreeBSD 8.1-RELEASE #0: Fri 
Aug  6 09:37:33 CEST 2010 
root@dungeon2.cyanide-studio.com:/usr/obj/usr/src/sys/GEOM  i386

#fetch -o Equifax_Secure_Global_eBusiness_CA-1.pem 
http://www.geotrust.com/resources/root_certificates/certificates/Equifax_Secure_Global_eBusiness_CA-1.cer 

#cd /usr/src/crypto/openssl/tools
#chmod u+x c_rehash
#./c_rehash ~/
Doing /root/
Equifax_Secure_Global_eBusiness_CA-1.pem => 74c2    6bd0.0

My goal being to checkout an SVN repository, I re-launch the command :

# svn co https://svn.cyanide-studio.com/admin 
admin-svn                                                                                                              
[root@backup]
Error validating server certificate for 
'https://svn.cyanide-studio.com:443':
  - The certificate is not issued by a trusted authority. Use the
    fingerprint to validate the certificate manually!
Certificate information:
  - Hostname: *.cyanide-studio.com
  - Valid: from Sun, 22 Aug 2010 13:04:24 GMT until Thu, 25 Aug 2011 
22:05:01 GMT
  - Issuer: Equifax Secure Certificate Authority, Equifax, US
  - Fingerprint: 
ed:6d:1f:6c:d4:93:e9:68:44:1c:b2:68:a1:bb:50:b5:af:0e:16:12
(R)eject, accept (t)emporarily or accept (p)ermanently? R
svn: OPTIONS of 'https://svn.cyanide-studio.com/admin': Server 
certificate verification failed: issuer is not trusted 
(https://svn.cyanide-studio.com)

I've also seen this in the source code of c_rehash :
while(exists $hashlist{"$hash.r$suffix"}) {
                         # Hash matches: if fingerprint matches its a 
duplicate cert
                         if($hashlist{"$hash.r$suffix"} eq $fprint) {
                                 print STDERR "WARNING: Skipping 
duplicate CRL $fname\n";
                                 return;
                         }
                         $suffix++;
}

But if I launch the command twice, it still seems to indicate that it's 
adding the CA.

I'm not sure if I do it correctly, but found nothing more relevant on 
google and in the freebsd's handbook.
Can someone point me a good way to add a CA ?

Best Regards,
Bastien Semene

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4C7BA892.1040705>