About Archive Other Contact

How to install a private CA certificate on FreeBSD

Most SoCruel internal web sites are configured with TLS using a private Certificate Authority (CA). These websites are also accessed by local FreeBSD systems. So these systems must have the SoCruel private CA certificate installed. This post explains how to do this on FreeBSD.

Requirements

The following requirements have to be in place to be able to implement what is described in this post:

Install a private CA certificate

The steps to install a private CA certificate are:

  1. upload your CA certificate
  2. move it to the right directory
  3. calculate the hash of your CA certificate
  4. create a link to your certificate using the calculated hash

1. Upload your CA certificate

The first step is to upload your CA certificate to your FreeBSD machine. This can be done in many different ways. Choose the way you like best/most. For this example it is assumed that we have uploaded the CA certificate to the /var/tmp directory.

2. Move it to the right directory

The second step is to move the CA certificate to the /etc/ssl/certs directory:

$ sudo mv /var/tmp/ca.cert /etc/ssl/certs

Let also be sure it has the right owner and rights:

$ sudo chmod 0644 /etc/ssl/certs/ca.crt && sudo chown root:wheel /etc/ssl/certs/ca.crt

3. Calculate the hash of your CA certificate

The third step is to calculate the hash of the CA certificate using the openssl tool:

$ sudo openssl x509 -noout -hash -in /etc/ssl/certs/ca.crt

This command will produce a string of 8 characters as output. For this example it is assumed that this is: 5d3b9418. This output is needed in the next and final step.

4. create a link to your certificate using the calculated hash

The last and final step is to create a link to your CA certificate file using the output of the previous step:

$ cd /etc/ssl/certs
$ sudo ln -s ca.crt 5d3b9418.0

You can check the working of the CA certificate by connecting to your URL:

$ openssl s_client -connect website.local.url.com:443 | grep -i -e verify

This then would give you a line with

verify return:1

in your output.

Resources

Some (other) resources about this subject:

Updated: December 21, 2018