Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 26 Jul 2017 12:23:28 -0500 (CDT)
From:      "Valeri Galtsev" <galtsev@kicp.uchicago.edu>
To:        byrnejb@harte-lyne.ca
Cc:        freebsd-questions@freebsd.org
Subject:   Re: HTTP Error: Unacceptable TLS Certificate
Message-ID:  <33820.128.135.52.6.1501089808.squirrel@cosmo.uchicago.edu>
In-Reply-To: <895366c1b1ff7a614240b9b6e32a3e77.squirrel@webmail.harte-lyne.ca>
References:  <895366c1b1ff7a614240b9b6e32a3e77.squirrel@webmail.harte-lyne.ca>

next in thread | previous in thread | raw e-mail | index | archive | help

On Wed, July 26, 2017 11:53 am, James B. Byrne via freebsd-questions wrote:
> I have searched rather diligently for some answer to this question and
> have not found anything useful.  I have added our root and issuer CA
> certificates to KDE's root certificate store (buried deep within an
> obscurely named submenu called 'Look and Feel').  But that has not
> changed the behaviour of the file browser.
>
> How does one add private certificates to the Mate desktop so that
> webdav connections to websites thereby secured may be successful?
>

Well, I actually would install

ca_root_nss

package on client machine(s). It installs root certificates into:

/usr/local/share/certs/ca-root-nss.crt

file, and it simultaneously creates symlink

/etc/ssl/cert.pem

pointing to that file. Unless I am mistaken, it is either one or another
of the above that is used as local root cert store, so if you add your own
Certification Authority certificate to the
/usr/local/share/certs/ca-root-nss.crt file, then all applications
checking that certificates are signed by known authority will be happy
about certificates signed by your CA certificate. This has to be done on
all client machines, so you may think of creating custom package and
installing it instead of ca_root_nss.

I envision the following problem if you just edited file that came with
ca_root_nss package: Once you install update for ca_root_nss package, it
will overwrite the file you have added your CA cert into. When I run my
own CA it was always the hassle, which can be overcome one of several
ways.

If you don't want the machine recognize any of known Certification
Authorities, only your own, then you can just manually create the file
with your CA cert and symlink to it as above.

I hope, this helps.

Valeri

>
>
> --
> ***          e-Mail is NOT a SECURE channel          ***
>         Do NOT transmit sensitive data via e-Mail
>  Do NOT open attachments nor follow links sent by e-Mail
>
> James B. Byrne                mailto:ByrneJB@Harte-Lyne.ca
> Harte & Lyne Limited          http://www.harte-lyne.ca
> 9 Brockley Drive              vox: +1 905 561 1241
> Hamilton, Ontario             fax: +1 905 561 0757
> Canada  L8E 3C3
>
>
>
> --
> ***          e-Mail is NOT a SECURE channel          ***
>         Do NOT transmit sensitive data via e-Mail
>  Do NOT open attachments nor follow links sent by e-Mail
>
> James B. Byrne                mailto:ByrneJB@Harte-Lyne.ca
> Harte & Lyne Limited          http://www.harte-lyne.ca
> 9 Brockley Drive              vox: +1 905 561 1241
> Hamilton, Ontario             fax: +1 905 561 0757
> Canada  L8E 3C3
>
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe@freebsd.org"
>


++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?33820.128.135.52.6.1501089808.squirrel>