Most SoCruel internal web sites are configured with TLS using a private Certificate Authority (CA). These websites are also accessed by local FreeBSD systems. So these systems must have the SoCruel private CA certificate installed. This post explains how to do this on FreeBSD.
The following requirements have to be in place to be able to implement what is described in this post:
ca.crtin this post
The steps to install a private CA certificate are:
1. Upload your CA certificate
The first step is to upload your CA certificate to your FreeBSD machine. This can be done in many different ways. Choose the way you like best/most. For this example it is assumed that we have uploaded the CA certificate to the
2. Move it to the right directory
The second step is to move the CA certificate to the
$ sudo mv /var/tmp/ca.cert /etc/ssl/certs
Let also be sure it has the right owner and rights:
$ sudo chmod 0644 /etc/ssl/certs/ca.crt && sudo chown root:wheel /etc/ssl/certs/ca.crt
3. Calculate the hash of your CA certificate
The third step is to calculate the hash of the CA certificate using the
$ sudo openssl x509 -noout -hash -in /etc/ssl/certs/ca.crt
This command will produce a string of 8 characters as output. For this example it is assumed that this is: 5d3b9418. This output is needed in the next and final step.
4. create a link to your certificate using the calculated hash
The last and final step is to create a link to your CA certificate file using the output of the previous step:
$ cd /etc/ssl/certs $ sudo ln -s ca.crt 5d3b9418.0
You can check the working of the CA certificate by connecting to your URL:
$ openssl s_client -connect website.local.url.com:443 | grep -i -e verify
This then would give you a line with
in your output.
Some (other) resources about this subject: