OpenSSL Certificate issue

Paul Kraus paul at kraus-haus.org
Thu Jan 10 20:38:00 UTC 2013


On Jan 10, 2013, at 2:06 PM, Greg Larkin wrote:
> On 1/10/13 1:38 PM, Paul Kraus wrote:
> 
> I put the certs for my test in /etc/ssl/certs when using the base
> system openssl and in /usr/local/openssl/certs when using the openssl
> port.
> 
> c_rehash uses a specific openssl binary when invoked like so:
> 
> env OPENSSL=/usr/bin/openssl c_rehash /etc/ssl/certs
> 
> You can set the OPENSSL and SSL_CERT_DIR environment variables
> permanently, and that would ensure everything is consistent going
> forward, even if the openssl port is present.

That almost worked, the default directory for certs is /etc/ssl, 

[root at MailArch /etc/ssl]# pwd
/etc/ssl
[root at MailArch /etc/ssl]# ls -l
total 12
lrwxr-xr-x  1 root  wheel     8 Jan 10 15:26 882de061.0 -> cert.pem
lrwxr-xr-x  1 root  wheel    38 Jan 10 15:22 cert.pem -> /usr/local/share/certs/ca-root-nss.crt
-rw-r--r--  1 root  wheel  9468 Jan  3  2012 openssl.cnf
[root at MailArch /etc/ssl]#

The clue was in the ca_root_nss port. If you enable etc symlink creation it creates the link in /etc/ssl. After running c_rehash (using the correct openssl) in that directory, the other tools that just call the openssl libraries find the root certs just fine.

Thanks for the help.

--
Paul Kraus
Deputy Technical Director, LoneStarCon 3
Sound Coordinator, Schenectady Light Opera Company



More information about the freebsd-questions mailing list