Add StartSSL to trusted CA store in OpenSSL

A number of Unix/Linux tools, e.g. Subversion (svn) and wget, use OpenSSL when they access HTTPS sites. While I found updating the trusted CA store in curl (which does not use OpenSSL) very easy (I just downloaded their weekly CA bundle), OpenSSL isn’t as self-explaining. You may need this with older Linux distributions like openSUSE 10.3 running on “old” webservers, e.g. when you use svn to track changes of a web-application and keep the repository on encrypted webspace (highly recommended!) and the CA is not trusted in your distribution’s OpenSSL package. I use StartSSL Free Class 1 certificates for some of my private servers and their CA certificate is not included in many older distributions.

First you need to determine where OpenSSL keeps its files on your system. With the aforementioned openSUSE 10.3 this is

cd /etc/ssl/certs

Download your CA’s root certificate

wget -O startssl.pem

Determine the certificate’s hash

openssl x509 -noout -hash -in startssl.pem

For StartSSL this is “33815e15”. Now create a symlink to the certificate file with the hash as the filename and with the filename extension “.0”

ln -s startssl.pem 33815e15.0


If you prefer to know the backgrounds, read this OpenSSL Command-Line Howto!

Tags: , , , ,

  1. Nice post.

    Minor comment though, it seems you can do the symbolic link with the “c_rehash” command instead of manually (which is more error-prone). c_rehash comes with the openssl-perl package.


Your email address will not be published. Required fields are marked *