Date: Sun, 8 Mar 2015 19:26:06 +0100 From: Florian Heigl <florian.heigl@gmail.com> To: freebsd-questions@freebsd.org Subject: Adding a root CA cert on FreeBSD10 Message-ID: <CAFivhP=n1J64DMfgYF8wq7%2B3%2BrA_Lfd-cgWRSXTozf0QTmRTaQ@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hi, I'm trying to identify how and where to add a trusted root certificate in FreeBSD10. Doing so used to be dead easy on FreeBSD until now, just drop them in /usr/local/etc/ssl/certs or even /etc/ssl/certs and it worked. This seems to be no longer true? I'm working with CACert or "private" CAs in many cases, so this is a standard thing. Right now I'm pulling my hair how to make it work in FreeBSD 10. What I want: - openssl s_client -connect to work I'm aware different tools are using different methods, but i.e. curl on many OS is tamed to respect the openssl CAs so I figure once openssl is happy it should be all good. But OpenSSL ain't happy: # openssl s_client -connect demoserver:443 | grep -i -e issuer -e verify depth=1 O = Root CA, OU = http://www.cacert.org, CN = CA Cert Signing Authority, emailAddress = support@cacert.org verify error:num=19:self signed certificate in certificate chain verify return:0 issuer=/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org Verify return code: 19 (self signed certificate in certificate chain) I've put the CACert certificates in the following places, to no avail: /etc/ssl/certs/cacert-class3.crt /etc/ssl/certs/cacert-root.crt /usr/local/etc/ssl/cacert-root.crt /usr/local/etc/ssl/certs/cacert-root.crt /usr/local/etc/ssl/certs/cacert-class3.crt /usr/local/etc/ssl/cacert-class3.crt /usr/local/etc/openssl/cacert-class3.crt /usr/local/etc/openssl/cacert-root.crt /usr/local/etc/openssl/certs/cacert-class3.crt /usr/local/etc/openssl/certs/cacert-root.crt I've not tried to patch them into the OS-side CA bundles like ca_root_nss-3.17.4_1. That would be utterly stupid since they would be lost on update of the package. Is there any documentation regarding certs that is _working_ on FreeBSD10? I'm so far still inclined the error is on my side, but without current documentation it's hard to tell. Florian (I hope we didn't inherit another shitty linux mechanism like hal, update-ca-certs or resolvconf to break proven functionality. If so, please let me know what it is and I'll gladly open a PR to name it a regression. Also, please excuse my lack of enthusiasm, but this has ruined much of my day meaning the coming week will also be ruined, trying to catch up) -- the purpose of libvirt is to provide an abstraction layer hiding all xen features added since 2006 until they were finally understood and copied by the kvm devs.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAFivhP=n1J64DMfgYF8wq7%2B3%2BrA_Lfd-cgWRSXTozf0QTmRTaQ>