[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: manually adding root certificates

On Tue, 26 Jul 2011 21:22:47 +0200, Arno Schuring wrote:

(...)

I've carefully read your tests below and I get the same as you.

> So I guess the original question is solved, "put the certificate in
> /usr/local/share/ca-certificates" is really the correct solution. 

Okay.

> But then there are two more questions open: 
> - why does openssl respond differently when I specify a CApath that 
> should be the system default?

Dunno, but look:

sm01@stt008:~$ openssl version -a | grep -i ssldir
OPENSSLDIR: "/usr/lib/ssl"

And there is a symlink there to the proper path for certs:

sm01@stt008:~$ ls -la /usr/lib/ssl
total 43
drwxr-xr-x   4 root root   176 ene  6  2011 .
drwxr-xr-x 145 root root 43512 jul  6 13:24 ..
lrwxrwxrwx   1 root root    14 nov 14  2009 certs -> /etc/ssl/certs
drwxr-xr-x   2 root root   336 ene  6  2011 engines
drwxr-xr-x   2 root root   192 ene  6  2011 misc
lrwxrwxrwx   1 root root    20 ene  6  2011 openssl.cnf -> /etc/ssl/openssl.cnf
lrwxrwxrwx   1 root root    16 nov 14  2009 private -> /etc/ssl/private

So why if we don't specify the "-CApath" this does not work? :-?

> - what is the correct way to check whether a ca-certificate is installed
> correctly?

Maye this the expected when issuing openssl from command line? Because the 
symlink seems to be working fine:

openssl s_client -connect pop.gmail.com:995 -showcerts -CApath /usr/lib/ssl
(...)
Verify return code: 0 (ok)

Greetings,

-- 
Camaleón
Reply to: