[OmniOS-discuss] ssl root CA certs

Eric Sproul esproul at omniti.com
Fri Oct 12 10:14:37 EDT 2012


On Thu, Oct 11, 2012 at 6:36 PM, Paul B. Henson <henson at acm.org> wrote:
> I noticed omnios installs a standard set of root CA certs in
> /etc/certs/CA; however, openssl is looking for them in /usr/ssl/certs,
> which was empty. I ended up running
>
> for f in /etc/certs/CA/* ; do ln -s $f /usr/ssl/certs/`openssl x509 -hash -noout -in $f`.0; done
>
> to make the hashed symlinks so openssl based apps (such as wget) would
> find the root CA's.

Paul,
You bring up an interesting point, and there are multiple ways we
could solve it.  For curl and wget, we ship a dependent package,
web/ca-bundle, which delivers a single .pem file containing all the
root CA certs.  We get this file from http://curl.haxx.se/ca/

We build curl to use this file, so https links work out of the box in
curl.  Wget can be induced to use it by adding "ca_certificate =
/etc/cacert.pem" to /etc/wgetrc.  We may just ship a default wgetrc
with this option added.  I don't see a downside to doing that.  That
takes care of the common case with curl/wget, but leaves the larger
question of how we want OpenSSL to behave.

>
> If there's an intention for openssl to recognize root CA's out of the
> box, perhaps these symlinks can be made during the install?

The certs in /usr/ssl/certs come from the crypto/ca-certificates
package which is part of illumos-gate.  OpenSSL is not-- we build that
ourselves, mostly following the way it was built previously in
OpenSolaris/OI, which is to say, without any connection to
crypto/ca-certificates.  I'll look into what might do there; thanks
for pointing it out.

Eric


More information about the OmniOS-discuss mailing list