A number of Unix/Linux tools, e.g. Subversion (svn) and wget, use OpenSSL when they access HTTPS sites. While I found updating the trusted CA store in curl (which does not use OpenSSL) very easy (I just downloaded their weekly CA bundle), OpenSSL isn’t as self-explaining. You may need this with older Linux distributions like openSUSE 10.3 running on “old” webservers, e.g. when you use svn to track changes of a web-application and keep the repository on encrypted webspace (highly recommended!) and the CA is not trusted in your distribution’s OpenSSL package. I use StartSSL Free Class 1 certificates for some of my private servers and their CA certificate is not included in many older distributions.
First you need to determine where OpenSSL keeps its files on your system. With the aforementioned openSUSE 10.3 this is
cd /etc/ssl/certs
Download your CA’s root certificate
wget http://www.startssl.com/certs/ca.pem -O startssl.pem
Determine the certificate’s hash
openssl x509 -noout -hash -in startssl.pem
For StartSSL this is “33815e15”. Now create a symlink to the certificate file with the hash as the filename and with the filename extension “.0”
ln -s startssl.pem 33815e15.0
Done.
If you prefer to know the backgrounds, read this OpenSSL Command-Line Howto!
Tags: SSL, StartSSL, subversion, svn, wget
2 comments
Comments feed for this article
Trackback link: https://ten-fingers-and-a-brain.com/2011/02/add-startssl-to-trusted-ca-store-in-openssl/trackback/