StartSSL

You are currently browsing articles tagged StartSSL.

A number of Unix/Linux tools, e.g. Subversion (svn) and wget, use OpenSSL when they access HTTPS sites. While I found updating the trusted CA store in curl (which does not use OpenSSL) very easy (I just downloaded their weekly CA bundle), OpenSSL isn’t as self-explaining. You may need this with older Linux distributions like openSUSE 10.3 running on “old” webservers, e.g. when you use svn to track changes of a web-application and keep the repository on encrypted webspace (highly recommended!) and the CA is not trusted in your distribution’s OpenSSL package. I use StartSSL Free Class 1 certificates for some of my private servers and their CA certificate is not included in many older distributions.

First you need to determine where OpenSSL keeps its files on your system. With the aforementioned openSUSE 10.3 this is

cd /etc/ssl/certs

Download your CA’s root certificate

wget http://www.startssl.com/certs/ca.pem -O startssl.pem

Determine the certificate’s hash

openssl x509 -noout -hash -in startssl.pem

For StartSSL this is “33815e15”. Now create a symlink to the certificate file with the hash as the filename and with the filename extension “.0”

ln -s startssl.pem 33815e15.0

Done.

If you prefer to know the backgrounds, read this OpenSSL Command-Line Howto!