"Bryan C. Everly" <[email protected]> writes: > Where I work, we are required to install a self-signed root CA into > our machines in order to access https sites on the Internet. It > basically allows our security appliances to do a MITM attack on the > traffic and look into it to examine the payload for viruses, data > exfiltration, etc. I know, creepy. > > Regardless, I'd like to be able to set up my OpenBSD laptop with this > certificate; however, I have searched mailing lists, Google, etc. and > have come up dry. It basically looks like I need to somehow hook it > into the certificate store in /etc/ssl but if someone could point me > to a resource that would help me figure out how to do this, I'd really > appreciate it.
I think what you will find is that browsers like chromium and firefox don't use the OpenBSD-provided /etc/ssl/cert.pem CA file. They instead have their own interal list of trusted CAs so you will need to add your local CA root to the browser's trusted CAs. I stand to be corrected, but I do know that I've tried just tacking on a local CA root at the end of /etc/ssl/cert.pem and firefox still sounded alarms when I tried to connect to one of our local websites. Allan
