OpenSSL Certificate issue
Paul Kraus
paul at kraus-haus.org
Thu Jan 10 20:38:00 UTC 2013
On Jan 10, 2013, at 2:06 PM, Greg Larkin wrote:
> On 1/10/13 1:38 PM, Paul Kraus wrote:
>
> I put the certs for my test in /etc/ssl/certs when using the base
> system openssl and in /usr/local/openssl/certs when using the openssl
> port.
>
> c_rehash uses a specific openssl binary when invoked like so:
>
> env OPENSSL=/usr/bin/openssl c_rehash /etc/ssl/certs
>
> You can set the OPENSSL and SSL_CERT_DIR environment variables
> permanently, and that would ensure everything is consistent going
> forward, even if the openssl port is present.
That almost worked, the default directory for certs is /etc/ssl,
[root at MailArch /etc/ssl]# pwd
/etc/ssl
[root at MailArch /etc/ssl]# ls -l
total 12
lrwxr-xr-x 1 root wheel 8 Jan 10 15:26 882de061.0 -> cert.pem
lrwxr-xr-x 1 root wheel 38 Jan 10 15:22 cert.pem -> /usr/local/share/certs/ca-root-nss.crt
-rw-r--r-- 1 root wheel 9468 Jan 3 2012 openssl.cnf
[root at MailArch /etc/ssl]#
The clue was in the ca_root_nss port. If you enable etc symlink creation it creates the link in /etc/ssl. After running c_rehash (using the correct openssl) in that directory, the other tools that just call the openssl libraries find the root certs just fine.
Thanks for the help.
--
Paul Kraus
Deputy Technical Director, LoneStarCon 3
Sound Coordinator, Schenectady Light Opera Company
More information about the freebsd-questions
mailing list