Date: Mon, 9 Mar 2015 17:28:10 +0100 From: Florian Heigl <florian.heigl@gmail.com> To: krad <kraduk@gmail.com>, FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: Adding a root CA cert on FreeBSD10 Message-ID: <86A77076-E8E3-45F9-B07D-3E47EE120B6E@gmail.com> In-Reply-To: <CALfReydY9yYT9srfM_mKHtMoNuRLrBGK2bewxuLG8T8RvYCcDQ@mail.gmail.com> References: <CAFivhP=n1J64DMfgYF8wq7%2B3%2BrA_Lfd-cgWRSXTozf0QTmRTaQ@mail.gmail.com> <CALfReydY9yYT9srfM_mKHtMoNuRLrBGK2bewxuLG8T8RvYCcDQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, thank you a lot! I=92ll try adding hashed versions, i.e. with ln -s my_ca_cert hash.0=20 Do you know / understand the preference between the different = directories on FreeBSD? I very much like using /etc/ssl/certs but since we also have the = /usr/local/etc/ssl and /usr/share.. and /usr/local/openssl paths I = really wonder what the =93right=94 path would be. Anyone? Florian On 09.03.2015, at 15:12, krad <kraduk@gmail.com> wrote: > I got mine working fine when i built a transparent ssl proxy. I had to = put all the root certs into /etc/ssl/certs >=20 > The filenames had to be a the hash of the cert though. This can be = generated via the following command >=20 > openssl x509 -noout -hash -in <cert> >=20 > eg >=20 > # openssl x509 -noout -hash -in some_cert > 0810bc98 > # mv some_cert /etc/ssl/certs/0810bc98.o >=20 >=20 > On 8 March 2015 at 18:26, Florian Heigl <florian.heigl@gmail.com> = wrote: > Hi, >=20 > I'm trying to identify how and where to add a trusted root certificate = in > FreeBSD10. >=20 > Doing so used to be dead easy on FreeBSD until now, just drop them in > /usr/local/etc/ssl/certs or even /etc/ssl/certs and it worked. > This seems to be no longer true? >=20 > I'm working with CACert or "private" CAs in many cases, so this is a > standard thing. Right now I'm pulling my hair how to make it work in > FreeBSD 10. >=20 > What I want: > - openssl s_client -connect to work >=20 > I'm aware different tools are using different methods, but i.e. curl = on > many OS is tamed to respect the openssl CAs so I figure once openssl = is > happy it should be all good. > But OpenSSL ain't happy: >=20 >=20 > # openssl s_client -connect demoserver:443 | grep -i -e issuer -e = verify > depth=3D1 O =3D Root CA, OU =3D http://www.cacert.org, CN =3D CA Cert = Signing > Authority, emailAddress =3D support@cacert.org > verify error:num=3D19:self signed certificate in certificate chain > verify return:0 > issuer=3D/O=3DRoot CA/OU=3Dhttp://www.cacert.org/CN=3DCA Cert Signing > Authority/emailAddress=3Dsupport@cacert.org > Verify return code: 19 (self signed certificate in certificate = chain) >=20 > I've put the CACert certificates in the following places, to no avail: >=20 > /etc/ssl/certs/cacert-class3.crt > /etc/ssl/certs/cacert-root.crt > /usr/local/etc/ssl/cacert-root.crt > /usr/local/etc/ssl/certs/cacert-root.crt > /usr/local/etc/ssl/certs/cacert-class3.crt > /usr/local/etc/ssl/cacert-class3.crt > /usr/local/etc/openssl/cacert-class3.crt > /usr/local/etc/openssl/cacert-root.crt > /usr/local/etc/openssl/certs/cacert-class3.crt > /usr/local/etc/openssl/certs/cacert-root.crt >=20 > I've not tried to patch them into the OS-side CA bundles > like ca_root_nss-3.17.4_1. That would be utterly stupid since they = would be > lost on update of the package. >=20 > Is there any documentation regarding certs that is _working_ on = FreeBSD10? > I'm so far still inclined the error is on my side, but without current > documentation it's hard to tell. >=20 >=20 > Florian >=20 >=20 > (I hope we didn't inherit another shitty linux mechanism like hal, > update-ca-certs or resolvconf to break proven functionality. > If so, please let me know what it is and I'll gladly open a PR to name = it a > regression. > Also, please excuse my lack of enthusiasm, but this has ruined much of = my > day meaning the coming week will also be ruined, trying to catch up) >=20 >=20 >=20 > -- > the purpose of libvirt is to provide an abstraction layer hiding all = xen > features added since 2006 until they were finally understood and = copied by > the kvm devs. > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to = "freebsd-questions-unsubscribe@freebsd.org" >=20
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86A77076-E8E3-45F9-B07D-3E47EE120B6E>