Adding additional SSL Certificate to default ca bundle | SSL Certificate Chain V

http://www.warp1337.com/content/adding-additional-ssl-certificate-default-ca-bundle-ssl-certificate-chain-verification-ca



OpenSSL
Sometimes you need to connect via SSL to a website or service and you will most probably get stuck
because of openssl/ssl issues. With curl for instance:

No cURL data returned for https://my.webserver.com:443 [0] SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Disabling the SSL verification checks is not a good idea, because possible of MITM attacks.

SSL Certificates usually follow a validation chain, see [2]. Therefore, you need to add the complete chain to your ca-bundle.crt in order to validate your certificate and also the trusted issuer (if not yet included). Most distributions come with a default certificate file which is used by various clients (curl, LDAP, Mail) to validate SSL/TLS connections. The first problem to find out: where exactly is your default ssl/certificate folder located? In Ubuntu it seems to be /etc/ssl, in CentOS and Scientific Linux it's /etc/pki/tls/certs. We will go through this step by step.

mkdir -p ~/.cert/cert.test/
cd ~/.cert/cert.test/
openssl s_client -showcerts -connect my.webserver.com:443

You should get the following error at the end of the output:

Verify return code: 21 (unable to verify the first certificate)

Now copy the: "-----BEGIN CERTIFICATE-----" to the "-----END CERTIFICATE-----" , and save it in your ~/.cert/cert.test/ directory as mycert.pem

Again, have a look at the openssl output, you should look for the following line:

Certificate chain
0 s:/O=my.webserver.com/CN=my.webserver.com/OU=Domain Control Validated
i:/C=US/ST=Arizona/L=Scottsdale/O=Issuer.com, Inc./OU=http://certificates.issuer.com/repository/CN=Issuer Certification Authority/serialNumber=04369233

This line tells you, that your certificate was issued by Issuer.com, so get the issuers certificate as well. Maybe your issuer already delivers a certificate in the pem format, so download it. Maybe, you also need to download the root certificate, "the issuers, issuer certificate". Again, please note: You need to add the whole chain. But you can test this incrementally, as the test (see below) will fail unless you imported all required certs. As soon as you got all certificates, you need to do the following (CentOS/SL6 needed yum install openssl-perl.x86_64 upfront, maybe there is a similar package in Ubuntu/Debian):

c_rehash ~/.cert/cert.test/

Your output should look like the following:

Doing ~/.cert/cert.test/
my_issuers_issuer.pem => 5a37af32.0
myissuer.pem => 1d97af50.0
mycert.pem => 219d9499.0

You may have a look at one of the hash files cat 219d9499.0

Test your new certs:

openssl s_client -CApath ~/.cert/cert.test/ -showcerts -connect my.webserver.com:443

Now, the output should look like the following, if everything is fine:

Verify return code: 0 (ok)

Now, copy the hash files to you "ca-cert" folder, e.g., /etc/pki/tls/certs.

sudo cp 5a37af32.0 /etc/pki/tls/certs
...

Then, go to the "ca-cert" folder and append *all* the hashes to your "ca-bundle.crt"

cat 5a37af32.0 >> /etc/pki/tls/certs/ca-bundle.crt
...

Viola, now you should be able to use CURL, git, svn or whatever using a secure SSL connection. Please double check the downloaded ceetificates (issuer, root, etc.) because you need to make sure you get the correct ones.

Please note, that some distributions overwrite the ca-bundle.crt file during updates, therefore, this is maybe not a long-term
solution.

I hope this helps.

Acks: This tutorial was inspired by the wonderful NixCraft [1] site.

引用

[1] http://www.cyberciti.biz/faq/test-ssl-certificates-diagnosis-ssl-certificate/
[2] http://en.wikipedia.org/wiki/Secure_Sockets_Layer