[OmniOS-discuss] ssl root CA certs
Eric Sproul
esproul at omniti.com
Fri Oct 12 10:14:37 EDT 2012
On Thu, Oct 11, 2012 at 6:36 PM, Paul B. Henson <henson at acm.org> wrote:
> I noticed omnios installs a standard set of root CA certs in
> /etc/certs/CA; however, openssl is looking for them in /usr/ssl/certs,
> which was empty. I ended up running
>
> for f in /etc/certs/CA/* ; do ln -s $f /usr/ssl/certs/`openssl x509 -hash -noout -in $f`.0; done
>
> to make the hashed symlinks so openssl based apps (such as wget) would
> find the root CA's.
Paul,
You bring up an interesting point, and there are multiple ways we
could solve it. For curl and wget, we ship a dependent package,
web/ca-bundle, which delivers a single .pem file containing all the
root CA certs. We get this file from http://curl.haxx.se/ca/
We build curl to use this file, so https links work out of the box in
curl. Wget can be induced to use it by adding "ca_certificate =
/etc/cacert.pem" to /etc/wgetrc. We may just ship a default wgetrc
with this option added. I don't see a downside to doing that. That
takes care of the common case with curl/wget, but leaves the larger
question of how we want OpenSSL to behave.
>
> If there's an intention for openssl to recognize root CA's out of the
> box, perhaps these symlinks can be made during the install?
The certs in /usr/ssl/certs come from the crypto/ca-certificates
package which is part of illumos-gate. OpenSSL is not-- we build that
ourselves, mostly following the way it was built previously in
OpenSolaris/OI, which is to say, without any connection to
crypto/ca-certificates. I'll look into what might do there; thanks
for pointing it out.
Eric
More information about the OmniOS-discuss
mailing list