picture of tbs certificates
picture of tbs certificates
Our products range

Use a linux / openssl SSL client

Most of Linux SSL clients (such as Lynx, wget, curl) uses Openssl to check the server certificates that are presented. See also Which version of Openssl to use?
By default, Openssl saves the trusted CA files in /usr/lib/ssl/certs. It also uses this location for its s_client command.

This location can be modified by defining the environment variable SSL_CERT_DIR in /etc/profile or in an equivalent user file.

In this repertory, place the certificates (in x509 format named *.pem) of the authorities in which you trust. Then update the subject hash with:
/usr/bin/c_rehash /usr/lib/ssl/certs
You can directly use our archive of authorities in which we trust with:
tar -x -C / -vzf tbs-trusted-roots.tgz
c_rehash /usr/lib/ssl/certs
wget && tar -x -C / -vzf tbs-trusted-roots.tgz && c_rehash /usr/lib/ssl/certs
curl | tar -x -C / -vz && c_rehash /usr/lib/ssl/certs
If you are using curl, note that it has its own file containing the list of certification authorities that dates from... 2000!

Update that file with:
cd /usr/share/curl/
cp curl-ca-bundle.crt curl-ca-bundle.crt.orig
tar xvfz tbs-trusted-roots.tgz usr/lib/ssl/certs/allroots.txt
mv usr/lib/ssl/certs/allroots.txt curl-ca-bundle.crt
rmdir -p usr/lib/ssl/certs

If you also have Java on your machine, you can use our certification authorities' file as well.
To do so, and if yo installed our file, you must have a file named cacerts in /usr/lib/ssl/certs/. It is the certificates database.

To install it, copy/paste this file in /usr/java/xxx/lib/security/cacerts and replace xxx by the name of your Java version. For example:
Our database password is: tbstrusted

Under gentoo, the default path to certification authorities is /etc/ssl/certs.

A great number of authorities are delivered by default, including ours. So there is no need to add others but deleting some may be a good idea ;)