Best way to append to trusted CA bundle (RHEL)

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Best way to append to trusted CA bundle (RHEL)

Ray Van Dolson
I'm trying to extend the list of certifictaes (the default CA bundle)
OpenSSL and OpenSSL-aware apps trust to include out Enterprise root
cert.

This is on a RHEL 5.x machine (0.9.8e plus backported RH patches).

From reading, it seems like the proper way to do this is either to
append the cert to the end of my /etc/pkt/tls/certs/ca-bundle.crt file
OR to create a symlink to the crt in the same /etc/pki/tls/certs
directory with the target link being named <hash_of_cert>.0.

Couple of questions:

- Is the latter option listed above the correct/best way to do this?
- What's the best way to test?  Some utilities such as cURL seem to use
  OpenSSL but don't appear to be referencing my .0 cert above and need
  application specific ways to trust additional certs.

Thanks for the feedback.

Ray
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Best way to append to trusted CA bundle (RHEL)

ml@smtp.fakessh.eu
this issue and tango fix it
are welcome

please provide is issue


Le 2013-01-01 16:32, Ray Van Dolson a écrit :

> I'm trying to extend the list of certifictaes (the default CA bundle)
> OpenSSL and OpenSSL-aware apps trust to include out Enterprise root
> cert.
>
> This is on a RHEL 5.x machine (0.9.8e plus backported RH patches).
>
> From reading, it seems like the proper way to do this is either to
> append the cert to the end of my /etc/pkt/tls/certs/ca-bundle.crt
> file
> OR to create a symlink to the crt in the same /etc/pki/tls/certs
> directory with the target link being named <hash_of_cert>.0.
>
> Couple of questions:
>
> - Is the latter option listed above the correct/best way to do this?
> - What's the best way to test?  Some utilities such as cURL seem to
> use
>   OpenSSL but don't appear to be referencing my .0 cert above and
> need
>   application specific ways to trust additional certs.
>
> Thanks for the feedback.
>
> Ray
>
> ______________________________________________________________________
> OpenSSL Project                                
> http://www.openssl.org
> User Support Mailing List                    
> [hidden email]
> Automated List Manager                          
> [hidden email]
>
> Scanned and tagged as non-SPAM with DSPAM 3.10.2 by Your ISP.com

--
gpg --keyserver pgp.mit.edu --recv-key C2626742
http://about.me/fakessh

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Best way to append to trusted CA bundle (RHEL)

Ray Van Dolson
On Thu, Jan 03, 2013 at 06:09:28AM +0100, ml wrote:
> this issue and tango fix it
> are welcome
>
> please provide is issue

Fantastic?

>
> Le 2013-01-01 16:32, Ray Van Dolson a écrit :
> >I'm trying to extend the list of certifictaes (the default CA bundle)
> >OpenSSL and OpenSSL-aware apps trust to include out Enterprise root
> >cert.
> >
> >This is on a RHEL 5.x machine (0.9.8e plus backported RH patches).
> >
> >From reading, it seems like the proper way to do this is either to
> >append the cert to the end of my /etc/pkt/tls/certs/ca-bundle.crt
> >file
> >OR to create a symlink to the crt in the same /etc/pki/tls/certs
> >directory with the target link being named <hash_of_cert>.0.
> >
> >Couple of questions:
> >
> >- Is the latter option listed above the correct/best way to do this?
> >- What's the best way to test?  Some utilities such as cURL seem
> >to use
> >  OpenSSL but don't appear to be referencing my .0 cert above and
> >need
> >  application specific ways to trust additional certs.
> >
> >Thanks for the feedback.
> >
> >Ray
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]