Use a linux / openssl SSL client
Most of Linux SSL clients (such as Lynx, wget, curl) uses Openssl to check the server certificates that are presented. See also Which version of Openssl to use?By default, Openssl saves the trusted CA files in /usr/lib/ssl/certs. It also uses this location for its s_client command.
This location can be modified by defining the environment variable SSL_CERT_DIR in /etc/profile or in an equivalent user file.
In this repertory, place the certificates (in x509 format named *.pem) of the authorities in which you trust. Then update the subject hash with:
/usr/bin/c_rehash /usr/lib/ssl/certsYou can directly use our archive of authorities in which we trust with:
wget https://www.tbs-internet.com/secure/ca/tbs-trusted-roots.tgz tar -x -C / -vzf tbs-trusted-roots.tgz c_rehash /usr/lib/ssl/certsor
wget https://www.tbs-internet.com/secure/ca/tbs-trusted-roots.tgz && tar -x -C / -vzf tbs-trusted-roots.tgz && c_rehash /usr/lib/ssl/certsor
curl https://www.tbs-internet.com/secure/ca/tbs-trusted-roots.tgz | tar -x -C / -vz && c_rehash /usr/lib/ssl/certsIf you are using curl, note that it has its own file containing the list of certification authorities that dates from... 2000!
Update that file with:
cd /usr/share/curl/ cp curl-ca-bundle.crt curl-ca-bundle.crt.orig wget https://www.tbs-internet.com/secure/ca/tbs-trusted-roots.tgz tar xvfz tbs-trusted-roots.tgz usr/lib/ssl/certs/allroots.txt mv usr/lib/ssl/certs/allroots.txt curl-ca-bundle.crt rmdir -p usr/lib/ssl/certs
If you also have Java on your machine, you can use our certification authorities' file as well.
To do so, and if yo installed our file https://www.tbs-internet.com/secure/ca/tbs-trusted-roots.tgz, you must have a file named cacerts in /usr/lib/ssl/certs/. It is the certificates database.
To install it, copy/paste this file in /usr/java/xxx/lib/security/cacerts and replace xxx by the name of your Java version. For example:
/usr/java/jre1.5.0_01/lib/security/cacerts /usr/java/jdk1.5.0_06/jre/lib/security/cacertsOur database password is: tbstrusted
Under gentoo, the default path to certification authorities is /etc/ssl/certs.
A great number of authorities are delivered by default, including ours. So there is no need to add others but deleting some may be a good idea ;)
Last edited on 07/26/2012 08:16:54 --- [search]