Date: Wed, 26 Jul 2017 12:23:28 -0500 (CDT) From: "Valeri Galtsev" <galtsev@kicp.uchicago.edu> To: byrnejb@harte-lyne.ca Cc: freebsd-questions@freebsd.org Subject: Re: HTTP Error: Unacceptable TLS Certificate Message-ID: <33820.128.135.52.6.1501089808.squirrel@cosmo.uchicago.edu> In-Reply-To: <895366c1b1ff7a614240b9b6e32a3e77.squirrel@webmail.harte-lyne.ca> References: <895366c1b1ff7a614240b9b6e32a3e77.squirrel@webmail.harte-lyne.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, July 26, 2017 11:53 am, James B. Byrne via freebsd-questions wrote: > I have searched rather diligently for some answer to this question and > have not found anything useful. I have added our root and issuer CA > certificates to KDE's root certificate store (buried deep within an > obscurely named submenu called 'Look and Feel'). But that has not > changed the behaviour of the file browser. > > How does one add private certificates to the Mate desktop so that > webdav connections to websites thereby secured may be successful? > Well, I actually would install ca_root_nss package on client machine(s). It installs root certificates into: /usr/local/share/certs/ca-root-nss.crt file, and it simultaneously creates symlink /etc/ssl/cert.pem pointing to that file. Unless I am mistaken, it is either one or another of the above that is used as local root cert store, so if you add your own Certification Authority certificate to the /usr/local/share/certs/ca-root-nss.crt file, then all applications checking that certificates are signed by known authority will be happy about certificates signed by your CA certificate. This has to be done on all client machines, so you may think of creating custom package and installing it instead of ca_root_nss. I envision the following problem if you just edited file that came with ca_root_nss package: Once you install update for ca_root_nss package, it will overwrite the file you have added your CA cert into. When I run my own CA it was always the hassle, which can be overcome one of several ways. If you don't want the machine recognize any of known Certification Authorities, only your own, then you can just manually create the file with your CA cert and symlink to it as above. I hope, this helps. Valeri > > > -- > *** e-Mail is NOT a SECURE channel *** > Do NOT transmit sensitive data via e-Mail > Do NOT open attachments nor follow links sent by e-Mail > > James B. Byrne mailto:ByrneJB@Harte-Lyne.ca > Harte & Lyne Limited http://www.harte-lyne.ca > 9 Brockley Drive vox: +1 905 561 1241 > Hamilton, Ontario fax: +1 905 561 0757 > Canada L8E 3C3 > > > > -- > *** e-Mail is NOT a SECURE channel *** > Do NOT transmit sensitive data via e-Mail > Do NOT open attachments nor follow links sent by e-Mail > > James B. Byrne mailto:ByrneJB@Harte-Lyne.ca > Harte & Lyne Limited http://www.harte-lyne.ca > 9 Brockley Drive vox: +1 905 561 1241 > Hamilton, Ontario fax: +1 905 561 0757 > Canada L8E 3C3 > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" > ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?33820.128.135.52.6.1501089808.squirrel>