It is usually common to have an internal CA that we want to make reliable to the machines in our network. In this entry we are going to see how to make our Root CA a trusted source of certificates.

Method 1

  • Copy the certificate in /usr/local/etc/ssl/certs/, creating this directory if it doesn’t already exist.
  • Add it with the system utility dedicated to manage certificates certctl.
mkdir -p /usr/local/etc/ssl/certs/
cp certificatefile.pem /usr/local/etc/ssl/certs/
certctl rehash

Method 2

This method actually does manually what the certctl command does, so it does not make much sense. Unless for some reason the version of FreeBSD you have does not include it (very rare).

  • Copy the certificate to /etc/ssl/certs/.
  • Give it the correct privileges (0644).
  • Calculate the hash of the certificate.
  • Create a link using that hash.
mv certificatefile.pem /etc/ssl/certs/
chmod 0644 /etc/ssl/certs/certificatefile.pem
openssl x508 -noout -hash -in /etc/ssl/certs/certificatefile.pem
cd /etc/ssl/certs
ln -s certificatefile.pem $(openssl x508 -noout -hash -in /etc/ssl/certs/certificatefile.pem)

Check

The best way to check that the system now trusts that CA, is to use the OpenSSL suite and check it by connecting for example to a web service using it.

openssl s_client -connect fqdn:443 | grep -i -e verify