[tlug] [solved] - Re: Adding a private ca certificate to openssl on centos

[Edward Middleton <edward.middleton@example.com>]

On 08/08/2012 07:47 PM, Kalin KOZHUHAROV wrote:
> On Wed, Aug 8, 2012 at 5:55 PM, Edward Middleton
> <edward.middleton@example.com> wrote:
> > Does anyone know how to at a private ca certificate to the centos/rhel
> > ca certificate bundle so that it will be picked up by applications?
> No CentOS knowledge, but if I had to do that, I'll fire the debugger.
>
> Starting with `strace -f  -e trace=file MY_APP_HERE 2>&1 |grep ENOENT`
> and looking for possible directories.

Thanks,  strace did the trick, but it was actually finding the file so 
ENOENT didn't help.

It seems like you can either user a cert directory which works for wget

  (
cat <<'EOP'
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
EOP
) >> /etc/pki/tls/certs/private-ca.crt
cd /etc/pki/tls/certs/
ln -s private-ca.crt `openssl x509 -hash -noout -in private-ca.crt`.0

or as suggested by Francois Cartegnie just cancatinating to the bundle 
which seems to be necessary for curl

  (
cat <<'EOP'
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
EOP
) >> /etc/pki/tls/certs/private-ca.crt
cd /etc/pki/tls/certs/
openssl x509 -text -in private-ca.crt >> /etc/pki/tls/certs/ca-bundle.crt

I prefer the former approach because I won't loose my certs when I 
upgrade the public bundle.

Edward