On 2017-10-13, Allan Streib <[email protected]> wrote: > "Bryan C. Everly" <[email protected]> writes: > >> Where I work, we are required to install a self-signed root CA into >> our machines in order to access https sites on the Internet. It >> basically allows our security appliances to do a MITM attack on the >> traffic and look into it to examine the payload for viruses, data >> exfiltration, etc. I know, creepy. >> >> Regardless, I'd like to be able to set up my OpenBSD laptop with this >> certificate; however, I have searched mailing lists, Google, etc. and >> have come up dry. It basically looks like I need to somehow hook it >> into the certificate store in /etc/ssl but if someone could point me >> to a resource that would help me figure out how to do this, I'd really >> appreciate it. > > I think what you will find is that browsers like chromium and firefox > don't use the OpenBSD-provided /etc/ssl/cert.pem CA file. > > They instead have their own interal list of trusted CAs so you will need > to add your local CA root to the browser's trusted CAs. > > I stand to be corrected, but I do know that I've tried just tacking on a > local CA root at the end of /etc/ssl/cert.pem and firefox still sounded > alarms when I tried to connect to one of our local websites.
Yes, that's correct for the usual graphical browsers. cert.pem is still used for things like ftp (and thus pkg_add/syspatch}, lynx, curl, svn, etc. Remember that browsers will disable some things like cert pinning for sites signed with these manually-added certificates. Basically you are putting full trust in the middleware vendor/operator to verify certificates correctly as well as to not leak your data.
