From owner-freebsd-questions@FreeBSD.ORG Wed Jun 25 17:21:10 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7C492106566C for ; Wed, 25 Jun 2008 17:21:10 +0000 (UTC) (envelope-from freebsd-questions@m.gmane.org) Received: from ciao.gmane.org (main.gmane.org [80.91.229.2]) by mx1.freebsd.org (Postfix) with ESMTP id 0B4788FC12 for ; Wed, 25 Jun 2008 17:21:09 +0000 (UTC) (envelope-from freebsd-questions@m.gmane.org) Received: from list by ciao.gmane.org with local (Exim 4.43) id 1KBYg7-0007Gt-EN for freebsd-questions@freebsd.org; Wed, 25 Jun 2008 17:21:07 +0000 Received: from morpheus.skylinecorp.com ([64.141.137.164]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Wed, 25 Jun 2008 17:21:07 +0000 Received: from kkobb by morpheus.skylinecorp.com with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Wed, 25 Jun 2008 17:21:07 +0000 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-questions@freebsd.org From: Kevin Kobb Date: Wed, 25 Jun 2008 13:20:55 -0400 Lines: 64 Message-ID: References: <20080625120556.310b2b23@scorpio> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: morpheus.skylinecorp.com User-Agent: Thunderbird 2.0.0.14 (Windows/20080421) In-Reply-To: <20080625120556.310b2b23@scorpio> Sender: news Subject: Re: Install Microsoft Root Certificates into FreeBSD X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Jun 2008 17:21:10 -0000 Gerard wrote: > FreeBSD-6.3 > > I wanted to import the root certificates from my WinXP machine into my > FreeBSD server. I found a site: > > http://safari.ibmpressbooks.com/9781593271459/configure-id11 > > that supplied information on how to accomplish this. This is an > excerpt from that page. > > > In order to avoid errors when visiting SSL-encrypted websites, a file > named cert.pem containing public certificates of Trusted Root > Certification Authorities needs to be present in > the /usr/local/openssl/certs directory. This file can be constructed by > exporting an existing collection of trusted root certificates from > another operating system, namely Microsoft Windows XP or Macintosh OS > X. 12.6.1. Microsoft Windows XP > > To export trusted root certificates from a Windows XP system: > > Click the Start menu and open the Control Panel. > > Double-click the Internet Options icon. > > Click the Content tab then click the Certificates... button. > > Click the Trusted Root Certification Authorities tab. > > Click the first entry in the list and then scroll down to the end of > the list. While holding the [shift] key, click the last entry in the > list. This will select all of the listed certificates. > > Click the Export button and then click Next > at the wizard Welcome > screen. > > Click the Browse... button and save the file as cert.p7b in a location > of your choice. > > Click Next > when you are returned to the File Name prompt. > > Click Finish to complete the export. > > Copy the file cert.p7b to the /usr/local/openssl/certs directory on > your FreeBSD system using SFTP or a similar file transfer utility (see > "OpenSSH Server 4.7p1" for details on SFTP). > > Once the cert.p7b file is in the proper location, run the following > command to convert it into the required PEM (Privacy Enhanced Mail) > format: # cd /usr/local/openssl/certs # openssl pkcs7 -inform DER -in > cert.p7b -print_certs -text -out cert.pem > > You should now be able to securely connect to websites "trusted" by > Microsoft without Lynx SSL errors. > > > The problem is that I do not have a: /usr/local/openssl/certs > directory. I do have a: /usr/local/share/certs directory though. Could > I use that directory instead, or do I have to create the specified one? > I also read about creating an /etc/ssl/certs directory somewhere. > I think you could accomplish what you are after more easily by installing the ca_root_nss port.