SSL / TLS certificate

D

dan75

Hello.

I am very new to freeBSD. And not a native English speaker. My apologies.
I have used Linux, a bit more, so I am a bit familiar with "unix like" commands.

I am running VMs on a network with an outbound https proxy. This proxy requires root certificate configuration within the VMs in order to https connections to wrk correctly. I followed a Linux procedure for a Debian VM to make outbound https traffic to work. My company does not provide an equivalent freeBSD procedure. But I need to also configure a freeBSD VM.

Could someone help me find the equivalent directories and commands to configure and activate a root certificate on a freeBSD 13.0 system?
  1. Copy both root and intermediate certificates as individual files in PEM format in to the location, /usr/local/share/ca-certificates/
  2. Update the CA store using the following command:
cp IS_INFRA_ROOT_CRT.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates

What is the equivalent freeBSD certificate directory to : /usr/local/share/ca-certificates/
Is it : /usr/local/etc/ssl/ ?

What is the equivalent freeBSD command to: update-ca-certificates

Thank you for your help.
 
Would it be /usr/local/share/certs? I see that when installs the ca_root_nss pkg, that is one of the files created.
Hopefully someone with more knowledge will confirm or correct this.
 
Hello & Welcome to this FreeBSD community!

dan75 said:
What is the equivalent freeBSD certificate directory to : /usr/local/share/ca-certificates/
Is it : /usr/local/etc/ssl/ ?
Click to expand...
Personally, I keep mine under /usr/local/etc/ssl/certs.
I seem to faintly recall from a PR a few years ago that somebody indicated that this is the more appropriate location but my memory fails me on this one.

dan75 said:
What is the equivalent freeBSD command to: update-ca-certificates
Click to expand...
As far as I know FreeBSD doesn't provide a centralized (root) certificate manager.
Usually the utility in question would provide to either persistently register or temporarily adding a new CA. eg. openssh rehash in case of OpenSSH.
Check your proxy's documentation for a corresponding CLI or config file option.
 
I am not sure if I understand correctly but you can look at security/ca_root_nss
Code: 
[what@home]~> pkg info -l ca_root_nss
ca_root_nss-3.83:
        /etc/ssl/cert.pem
        /usr/local/etc/ssl/cert.pem
        /usr/local/etc/ssl/cert.pem.sample
        /usr/local/openssl/cert.pem
        /usr/local/openssl/cert.pem.sample
        /usr/local/share/certs/ca-root-nss.crt
        /usr/local/share/licenses/ca_root_nss-3.83/LICENSE
        /usr/local/share/licenses/ca_root_nss-3.83/MPL20
        /usr/local/share/licenses/ca_root_nss-3.83/catalog.mk
 
You must log in or register to reply here.
Back
Top