Re: Client Certificate Verification

It appears that Doug Hardie <bc979@lafn.org> said:
>-=-=-=-=-=-
>
>I have an application to which clients connect using a browser over SSL.  I have a LetsEncrypt certificate for the app that lets the client authenticate the app. 
>However, I need to have a multitude of client certificates (one per client machine).  I am generating these certificates from a self-signed root certificate.  I can get
>the client to verify the app and provide the client certificate to it.  The app is unable to verify the client certificate.  I have not been able to figure out how to
>have openssl distribute one certificate (from LetsEncrytp), but verify the received client certificate using different certificate chain.  Openssl will pass me some of
>the received certificate fields.  However, without certificate verification I cannot be sure that those values came from a certificate I generated.  Is there a way to do
>this either with openssl or libtls?

OpenSSL gets its list of trusted root signers from a big list in
/etc/ssl so you want to add your CA to that list. See the certctl
command for more details on how it's managed.

Most FreeBSD systems use the ca_root_nss package to update that list,
so the trick is to keep your cert from getting deleted the next time
the package is updated. You might try putting your cert in
/usr/local/share/certs/ rather than /usr/share/certs/trusted where the
standard certs are.

R's,
John