Re: manually adding root certificates
On Tue, 26 Jul 2011 21:22:47 +0200, Arno Schuring wrote:
(...)
I've carefully read your tests below and I get the same as you.
> So I guess the original question is solved, "put the certificate in
> /usr/local/share/ca-certificates" is really the correct solution.
Okay.
> But then there are two more questions open:
> - why does openssl respond differently when I specify a CApath that
> should be the system default?
Dunno, but look:
sm01@stt008:~$ openssl version -a | grep -i ssldir
OPENSSLDIR: "/usr/lib/ssl"
And there is a symlink there to the proper path for certs:
sm01@stt008:~$ ls -la /usr/lib/ssl
total 43
drwxr-xr-x 4 root root 176 ene 6 2011 .
drwxr-xr-x 145 root root 43512 jul 6 13:24 ..
lrwxrwxrwx 1 root root 14 nov 14 2009 certs -> /etc/ssl/certs
drwxr-xr-x 2 root root 336 ene 6 2011 engines
drwxr-xr-x 2 root root 192 ene 6 2011 misc
lrwxrwxrwx 1 root root 20 ene 6 2011 openssl.cnf -> /etc/ssl/openssl.cnf
lrwxrwxrwx 1 root root 16 nov 14 2009 private -> /etc/ssl/private
So why if we don't specify the "-CApath" this does not work? :-?
> - what is the correct way to check whether a ca-certificate is installed
> correctly?
Maye this the expected when issuing openssl from command line? Because the
symlink seems to be working fine:
openssl s_client -connect pop.gmail.com:995 -showcerts -CApath /usr/lib/ssl
(...)
Verify return code: 0 (ok)
Greetings,
--
Camaleón
Reply to: