c_hash/ca-certificates.crt

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

c_hash/ca-certificates.crt

etc@coderhacks.com
Hello!

Normally I put new certificates into /etc/ssl/certs and create the
hash-link.
That workes for me for many years.


Just found out 2 new things agout that.

1. There is c_hash that does the creation of the hash-link for me.
Great!

2. ca-certificates.crt is there too. It has any certificate inside of it
that is also in the directory but not the ones I added by myself over
the years.
Today was the 1st time I had to add a certificate to thefile because a
tool looked into that file and not into the directory.

Please what is the relation to the directory and ca-certificates.crt and
is there a tool/command to that adds new certificates to the file too?

Thanks!
CH

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: c_hash/ca-certificates.crt

Matt Caswell-2


On 23/02/18 14:06, [hidden email] wrote:

> Hello!
>
> Normally I put new certificates into /etc/ssl/certs and create the
> hash-link.
> That workes for me for many years.
>
>
> Just found out 2 new things agout that.
>
> 1. There is c_hash that does the creation of the hash-link for me.
> Great!
>
> 2. ca-certificates.crt is there too. It has any certificate inside of it
> that is also in the directory but not the ones I added by myself over
> the years.
> Today was the 1st time I had to add a certificate to thefile because a
> tool looked into that file and not into the directory.
>
> Please what is the relation to the directory and ca-certificates.crt and
> is there a tool/command to that adds new certificates to the file too?

Strictly speaking this isn't an OpenSSL question. OpenSSL does not
create or distribute the contents of /etc/ssl/certs. However it *does*
provide the ability to read a set of CA certs from either a directory or
a file. Applications can choose to work which ever way they want.

I assume that distros have opted to provide both a directory *and* a
file so that they can supply certs for which ever way an application
chooses to work.

My understanding is that you are supposed to put locally added certs in
/usr/local/share/ca-certficates, and then run the update-ca-certificates
tool which updates both the directory and the file.

Matt
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: c_hash/ca-certificates.crt

Jakob Bohm-7
On 23/02/2018 15:55, Matt Caswell wrote:

>
> On 23/02/18 14:06, [hidden email] wrote:
>> Hello!
>>
>> Normally I put new certificates into /etc/ssl/certs and create the
>> hash-link.
>> That workes for me for many years.
>>
>>
>> Just found out 2 new things agout that.
>>
>> 1. There is c_hash that does the creation of the hash-link for me.
>> Great!
>>
>> 2. ca-certificates.crt is there too. It has any certificate inside of it
>> that is also in the directory but not the ones I added by myself over
>> the years.
>> Today was the 1st time I had to add a certificate to thefile because a
>> tool looked into that file and not into the directory.
>>
>> Please what is the relation to the directory and ca-certificates.crt and
>> is there a tool/command to that adds new certificates to the file too?
> Strictly speaking this isn't an OpenSSL question. OpenSSL does not
> create or distribute the contents of /etc/ssl/certs. However it *does*
> provide the ability to read a set of CA certs from either a directory or
> a file. Applications can choose to work which ever way they want.
>
> I assume that distros have opted to provide both a directory *and* a
> file so that they can supply certs for which ever way an application
> chooses to work.
>
> My understanding is that you are supposed to put locally added certs in
> /usr/local/share/ca-certficates, and then run the update-ca-certificates
> tool which updates both the directory and the file.
>
> Matt
If the system is a recent version of Debian or similar (this may or may
not include DevUan and Ubuntu), you are supposed to put your private
certificates in /usr/local/share/ca-certificates/*.crt while the system
supplied root certs are in /usr/share/ca-certificates/ .  Then rerun
dpkg-reconfigure ca-certificates, and edit (by check boxes) which of the
standard CAs you trust.  The ones in /usr/local/share/ca-certificates/
are trusted unconditionally, no questions asked.  Due to bugs, you may
have to run the command twice, with the same selections.

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users