How to install a private CA certificate on FreeBSD
Most SoCruel internal web sites are configured with TLS using a private Certificate Authority (CA). These websites are also accessed by local FreeBSD systems. So these systems must have the SoCruel private CA certificate installed. This post explains how to do this on FreeBSD.
Requirements
The following requirements have to be in place to be able to implement what is described in this post:
- an up to date FreeBSD system version 11.2
- the reade knows how to upload a file to a FreeBSD system
- the CA certificate is in .crt format
- the CA certificate is called
ca.crtin this post
Install a private CA certificate
The steps to install a private CA certificate are:
- upload your CA certificate
- move it to the right directory
- calculate the hash of your CA certificate
- create a link to your certificate using the calculated hash
1. Upload your CA certificate
The first step is to upload your CA certificate to your FreeBSD machine. This can be done in many different ways. Choose the way you like best/most. For this example it is assumed that we have uploaded the CA certificate to the /var/tmp directory.
2. Move it to the right directory
The second step is to move the CA certificate to the /etc/ssl/certs directory:
$ sudo mv /var/tmp/ca.cert /etc/ssl/certs
Let also be sure it has the right owner and rights:
$ sudo chmod 0644 /etc/ssl/certs/ca.crt && sudo chown root:wheel /etc/ssl/certs/ca.crt
3. Calculate the hash of your CA certificate
The third step is to calculate the hash of the CA certificate using the openssl tool:
$ sudo openssl x509 -noout -hash -in /etc/ssl/certs/ca.crt
This command will produce a string of 8 characters as output. For this example it is assumed that this is: 5d3b9418. This output is needed in the next and final step.
4. create a link to your certificate using the calculated hash
The last and final step is to create a link to your CA certificate file using the output of the previous step:
$ cd /etc/ssl/certs $ sudo ln -s ca.crt 5d3b9418.0
You can check the working of the CA certificate by connecting to your URL:
$ openssl s_client -connect website.local.url.com:443 | grep -i -e verify
This then would give you a line with
verify return:1
in your output.
Resources
Some (other) resources about this subject: