Add a SSL certificate authority

[Bastien Semene]

 Hello,

I'm trying to add a certificate authority unsuccessfully.
The Equifax certificates authority seems not to be registered in 
FreeBSD, so I tried to add it on my server.

I'm logged in root and in its homedir.

#uname -a
FreeBSD svn.cyanide-studio.com 8.1-RELEASE FreeBSD 8.1-RELEASE #0: Fri 
Aug  6 09:37:33 CEST 2010 
r...@dungeon2.cyanide-studio.com:/usr/obj/usr/src/sys/GEOM  i386


#fetch -o Equifax_Secure_Global_eBusiness_CA-1.pem 
http://www.geotrust.com/resources/root_certificates/certificates/Equifax_Secure_Global_eBusiness_CA-1.cer 


#cd /usr/src/crypto/openssl/tools
#chmod u+x c_rehash
#./c_rehash ~/
Doing /root/
Equifax_Secure_Global_eBusiness_CA-1.pem = 74c26bd0.0

My goal being to checkout an SVN repository, I re-launch the command :

# svn co https://svn.cyanide-studio.com/admin 
admin-svn  
[r...@backup]
Error validating server certificate for 
'https://svn.cyanide-studio.com:443':

 - The certificate is not issued by a trusted authority. Use the
   fingerprint to validate the certificate manually!
Certificate information:
 - Hostname: *.cyanide-studio.com
 - Valid: from Sun, 22 Aug 2010 13:04:24 GMT until Thu, 25 Aug 2011 
22:05:01 GMT

 - Issuer: Equifax Secure Certificate Authority, Equifax, US
 - Fingerprint: 
ed:6d:1f:6c:d4:93:e9:68:44:1c:b2:68:a1:bb:50:b5:af:0e:16:12

(R)eject, accept (t)emporarily or accept (p)ermanently? R
svn: OPTIONS of 'https://svn.cyanide-studio.com/admin': Server 
certificate verification failed: issuer is not trusted 
(https://svn.cyanide-studio.com)


I've also seen this in the source code of c_rehash :
while(exists $hashlist{$hash.r$suffix}) {
# Hash matches: if fingerprint matches its a 
duplicate cert

if($hashlist{$hash.r$suffix} eq $fprint) {
print STDERR WARNING: Skipping 
duplicate CRL $fname\n;

return;
}
$suffix++;
}

But if I launch the command twice, it still seems to indicate that it's 
adding the CA.


I'm not sure if I do it correctly, but found nothing more relevant on 
google and in the freebsd's handbook.

Can someone point me a good way to add a CA ?

Best Regards,
Bastien Semene
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: Add a SSL certificate authority

[Eric Masson]

Bastien Semene sabba...@semene.fr writes:

Hi,

 I'm trying to add a certificate authority unsuccessfully.
 The Equifax certificates authority seems not to be registered in
 FreeBSD, so I tried to add it on my server.

You can use the security/ca_root_nss port to retrieve the Mozilla
Project root CA list and then configure the apps that need/require it.

 I'm not sure if I do it correctly, but found nothing more relevant on
 google and in the freebsd's handbook.

This is a svn issue, not a FreeBSD one, check this section of the svn
book :
http://svnbook.red-bean.com/nightly/en/svn.advanced.confarea.html#svn.advanced.confarea.opts.servers
or
http://svnbook.red-bean.com/nightly/fr/svn.advanced.confarea.html#svn.advanced.confarea.opts.servers

Then adapt ssl-authority-files directive in [global] section of your
local or system-wide subversion servers file.

Éric Masson

-- 
  Seriez gentils de garder Hordes ou moutons dans le sujet de vos
  enfilades débiles ; comme ça, je peux demander à OE de les
  filtrer. 
 -+- NM in Guide du linuxien pervers - Bien configurer sa secrétaire
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org