Date: Mon, 9 Mar 2015 17:28:10 +0100 From: Florian Heigl <florian.heigl@gmail.com> To: krad <kraduk@gmail.com>, FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: Adding a root CA cert on FreeBSD10 Message-ID: <86A77076-E8E3-45F9-B07D-3E47EE120B6E@gmail.com> In-Reply-To: <CALfReydY9yYT9srfM_mKHtMoNuRLrBGK2bewxuLG8T8RvYCcDQ@mail.gmail.com> References: <CAFivhP=n1J64DMfgYF8wq7%2B3%2BrA_Lfd-cgWRSXTozf0QTmRTaQ@mail.gmail.com> <CALfReydY9yYT9srfM_mKHtMoNuRLrBGK2bewxuLG8T8RvYCcDQ@mail.gmail.com>
index | next in thread | previous in thread | raw e-mail
Hi, thank you a lot! I’ll try adding hashed versions, i.e. with ln -s my_ca_cert hash.0 Do you know / understand the preference between the different directories on FreeBSD? I very much like using /etc/ssl/certs but since we also have the /usr/local/etc/ssl and /usr/share.. and /usr/local/openssl paths I really wonder what the “right” path would be. Anyone? Florian On 09.03.2015, at 15:12, krad <kraduk@gmail.com> wrote: > I got mine working fine when i built a transparent ssl proxy. I had to put all the root certs into /etc/ssl/certs > > The filenames had to be a the hash of the cert though. This can be generated via the following command > > openssl x509 -noout -hash -in <cert> > > eg > > # openssl x509 -noout -hash -in some_cert > 0810bc98 > # mv some_cert /etc/ssl/certs/0810bc98.o > > > On 8 March 2015 at 18:26, Florian Heigl <florian.heigl@gmail.com> wrote: > Hi, > > I'm trying to identify how and where to add a trusted root certificate in > FreeBSD10. > > Doing so used to be dead easy on FreeBSD until now, just drop them in > /usr/local/etc/ssl/certs or even /etc/ssl/certs and it worked. > This seems to be no longer true? > > I'm working with CACert or "private" CAs in many cases, so this is a > standard thing. Right now I'm pulling my hair how to make it work in > FreeBSD 10. > > What I want: > - openssl s_client -connect to work > > I'm aware different tools are using different methods, but i.e. curl on > many OS is tamed to respect the openssl CAs so I figure once openssl is > happy it should be all good. > But OpenSSL ain't happy: > > > # openssl s_client -connect demoserver:443 | grep -i -e issuer -e verify > depth=1 O = Root CA, OU = http://www.cacert.org, CN = CA Cert Signing > Authority, emailAddress = support@cacert.org > verify error:num=19:self signed certificate in certificate chain > verify return:0 > issuer=/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing > Authority/emailAddress=support@cacert.org > Verify return code: 19 (self signed certificate in certificate chain) > > I've put the CACert certificates in the following places, to no avail: > > /etc/ssl/certs/cacert-class3.crt > /etc/ssl/certs/cacert-root.crt > /usr/local/etc/ssl/cacert-root.crt > /usr/local/etc/ssl/certs/cacert-root.crt > /usr/local/etc/ssl/certs/cacert-class3.crt > /usr/local/etc/ssl/cacert-class3.crt > /usr/local/etc/openssl/cacert-class3.crt > /usr/local/etc/openssl/cacert-root.crt > /usr/local/etc/openssl/certs/cacert-class3.crt > /usr/local/etc/openssl/certs/cacert-root.crt > > I've not tried to patch them into the OS-side CA bundles > like ca_root_nss-3.17.4_1. That would be utterly stupid since they would be > lost on update of the package. > > Is there any documentation regarding certs that is _working_ on FreeBSD10? > I'm so far still inclined the error is on my side, but without current > documentation it's hard to tell. > > > Florian > > > (I hope we didn't inherit another shitty linux mechanism like hal, > update-ca-certs or resolvconf to break proven functionality. > If so, please let me know what it is and I'll gladly open a PR to name it a > regression. > Also, please excuse my lack of enthusiasm, but this has ruined much of my > day meaning the coming week will also be ruined, trying to catch up) > > > > -- > the purpose of libvirt is to provide an abstraction layer hiding all xen > features added since 2006 until they were finally understood and copied by > the kvm devs. > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" >home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86A77076-E8E3-45F9-B07D-3E47EE120B6E>