Install CA Certificates

From Exterior Memory
Jump to: navigation, search
It has been suggested that this page or section be merged with Add Root Certificates to KeyChain.

If you visit a HTTPS website, you will get a warning unless the web certificate is signed by a trusted authority.

Contents

Well known Certificate Authorities

There are many certificate authorities, and you must decide for yourself if you want to trust them or not.

By default, the Firefox webbrowser contains most well known certificate authorities.

The following is a list of some CA's that I

Commercial CA

  • Symantec (including: Verisign, Thawte)
  • Comodo
  • GlobalSign
  • Entrust
  • Startcom

GoDaddy is another big one, but I would not do business with them: they have too many controversies on their hand, even though they were on the 'good side' with their opposition to Verisign's idiotic Site Finder

Educational and Academic CA

Official CA

Open Source CA

CAcert if the only free-of-charge certificate authority, but has not yet passed an audit, and is therefor not yet included in most browsers or operating systems.

A good alternative is StartSSL by Startcom, which only charges for validations, not for the actual certificates. In particular, they do not charge for automatic certification of domains and class 1 certificates for those domains.

Self-Signed Certificates

Since most CA charge a certain amount of money, it is common practice to create self-signed certificates, thus creating a certificate authority on the fly.

Download Certificates

There is no common procedure to reliably download certificates.

  • You can trust the certificates that came with your operating system;
  • You can visit the website of a certificate authority and download it's root certificate;
  • You can visit a representative of an certificate authority in person;
  • You can visit a HTTP website, and use openssl to download the embedded certificate.

Note that all these cases are vulnerable to man-in-the-middle attacks. What if you Google for "Verisign" and download the first certificate you find. How do you know that you really downloaded Verisign's certificate instead of one from a website of an adversary?

Download Embedded Certificates

In order to download a certificate using openssl, do as follows:

echo "" | openssl s_client -showcerts -connect kwek.macfreek.nl:443

Select the block you want to store, e.g.:

-----BEGIN CERTIFICATE-----
MIIEHTCCAgWgAwIBAgIDB/0+MA0GCSqGSIb3DQEBBQUAMHkxEDAOBgNVBAoTB1Jv
b3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ
gzhZylSzD2utlCjrlE4p8AGYfQyZ35sn4tLdUcvAaKYI1TFbkGYgaKcxdElMFxYg
6M4oWIsZ290s6rXdwzkfXKjOrfO1LvbhDxYE/3Q6M+A+JFxa8yLnnaChK4/EMCPW
dA==
-----END CERTIFICATE-----

You can then read this file:

openssl x509 -noout -text -in storedcertificate.pem

Be sure to store the correct certificate. If you directly pipe your result, you get the client certificate:

% echo "" | openssl s_client -connect www.google.com:443 | openssl x509 -noout -subject -issuer
subject= /C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
issuer= /C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA

Typically, you will want to store the last certificate where the subject and issuer are equal (the root certificate). The openssl -showcerts option displays all certificates in the chain. Be aware that most servers do not return the root certificate in the certificate chain, so you often need to find another method to download the root certificate.

Install Certificates

If you downloaded a certificate, here is where to install it:

Mac OS X, including Safari

Mac OS X installs certificates in the KeyChain at /System/Library/Keychains/X509Anchors. You should not add certificates here, as this KeyChain can be overwritten during software updates.

Instead, install it in the KeyChain at /Library/Keychains/System.

Firefox

Install certificates in the Certificate Manager, which can be access through Preferences > Advanced > Encryption > View Certificates.

Curl

If you visit a webpage with a certificate signed by an untrusted CA, you get this error:

error: SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed while accessing https://www.example.com/path

Curl uses certificates stored in the file curl-ca-bundle.crt. The location differs per distribution. MacPorts stores the files in /opt/local/share/curl/.

You can simply append an exisiting certificate to this file.

For example, to add the CAcert certificate to the MacPorts-installed curl:

wget http://www.cacert.org/certs/root.crt
wget http://www.cacert.org/certs/class3.crt
cat root.crt class3.crt >> /opt/local/share/curl/curl-ca-bundle.crt

Note that the curl-ca-bundle.crt gets overwriten if you update the curl-ca-bundle package. For Debian, any certificate file in the /usr/local/share/ca-certificate directory will be automatically trusted:

wget http://www.cacert.org/certs/root.crt
mv root.crt /usr/local/share/ca-certificate/cacert.org.crt

Git

Git uses the curl library. The http.sslcainfo configuration option specifies which certificate file to use:

git config --global http.sslcainfo /opt/local/share/curl/curl-ca-bundle.crt

Wget

Wget looks for CA certificates at the system-specified locations, chosen at OpenSSL installation time. However, it is unclear where that is.

This article is unfinished.
Personal tools
Namespaces
Variants
Actions
Navigation
Toolbox