Location of X509 certificates on a 12.2 system

scotia

Active Member

Reaction score: 11
Messages: 149

Hi all,

After a recent upgrade to 12.2 I notice there's certs in /usr/share/certs/{blacklisted,trusted} and symlinks in
* /usr/local/share/certs/
* /etc/ssl/
Could someone please kindly describe what an ideal/pristine directory structure looks like? Including which dirs contain certs and which contain symlinks, etc.
For some reason my /usr/local/share/certs/ directory contains symlinks to non-existent files. For example:
ee64a828.0@ -> ../../../usr/share/certs/trusted/Comodo_AAA_Services_root.pem
It needs another ../. I'm not sure when those symlinks were created. I don't recall doing so.
Thanks
 

ShelLuser

Son of Beastie

Reaction score: 1,830
Messages: 3,622

/usr/local/* has, per definition, nothing to do with the base system. Whatever happens there is based on the ports you've installed. If you have broken symlinks then I'd suggest you check which packages installed those. On my system the only file in /usr/local/share/certs is ca-root-nss.crt which is courtesy of security/ca_root_nss.

Alas... /usr/share/certs only contain full certificates on my system, /etc/ssl contains links.
 

richardtoohey2

Well-Known Member

Reaction score: 150
Messages: 298

I did notice on one machine (during upgrade to 12.2) there was a message about it (freebsd-update) was not handling some local files, and for one of the files the format was like you've mentioned - the "odd" (to me!) file. I meant to come back and see what it was about but never did. Will have to see if I can find the machine it was on ...

Sorry for a not very useful report, but there was something along the lines of what you've said.

Do you use base or ports OpenSSL (I use the ports version)? Would that make a difference?

I've also got a /usr/local/etc/ssl
 

richardtoohey2

Well-Known Member

Reaction score: 150
Messages: 298

Are you sure it needs another ../ added?

Code:
root@dev:/etc/ssl/certs # ls -l ee64a828.0
lrwxr-xr-x  1 root  wheel  61 Oct 28 15:42 ee64a828.0 -> ../../../usr/share/certs/trusted/Comodo_AAA_Services_root.pem
root@dev:/etc/ssl/certs # ls -l ../../../usr/share/certs/trusted/Comodo_AAA_Services_root.pem
-r--r--r--  1 root  wheel  5281 Oct 28 15:47 ../../../usr/share/certs/trusted/Comodo_AAA_Services_root.pem
root@dev:/etc/ssl/certs # cd /tmp/
root@dev:/tmp # ls -l /etc/ssl/certs/ee64a828.0
lrwxr-xr-x  1 root  wheel  61 Oct 28 15:42 /etc/ssl/certs/ee64a828.0 -> ../../../usr/share/certs/trusted/Comodo_AAA_Services_root.pem
root@dev:/tmp # md5 /etc/ssl/certs/ee64a828.0
MD5 (/etc/ssl/certs/ee64a828.0) = 3ea008567b243cad036d9400ea960de7
root@dev:/tmp # md5 /usr/share/certs/trusted/Comodo_AAA_Services_root.pem
MD5 (/usr/share/certs/trusted/Comodo_AAA_Services_root.pem) = 3ea008567b243cad036d9400ea960de7
BUT you were talking about files in /usr/local/share/certs, and all I have is this:

Code:
root@dev:/tmp # cd /usr/local/share/certs/
root@dev:/usr/local/share/certs # ls
ca-root-nss.crt
 
Top