Trust the gandi.net CA on OpenBSD

       415 words, 2 minutes

This website provides some HTTPS service. I bought the SSL certificate from a French provider called “Gandi”. Unfortunately, it seems their issuer is not known by OpenBSD nor is their own CA trusted by Firefox. As this is in the FAQ, they provide the CA file to manually import in Firefox. Once done, Firefox trusts the whole SSL path. We’ll use this to install the SSL trust path in OpenBSD ; in the OpenSSL instance.

Grab the CA certificates

When I read the www.tumfatig.net certificate details from Safari or Firefox, I can see that the gandi.net CA provide a certificate here: http://crt.gandi.net/GandiStandardSSLCA.crt . Then, when installed on Firefox and/or Safari, I can see Gandi uses “The USERTRUST Network” as an issuer. Their CA certificate is available here: http://crt.usertrust.com/UTNAddTrustServer_CA.crt .

Those files can be download directly from Firefox or Safari. But we’ll use OpenBSD to do the whole stuff.

Install the CA trust path

What happens if I try to connect using SSL to some service protected by my certificate is:

# openssl s_client -connect www.tumfatig.net:imaps  
CONNECTED(00000003)  
depth=0 OU = Domain Control Validated, OU = Gandi Standard SSL, CN = www.tumfatig.net  
verify error:num=20:unable to get local issuer certificate  
verify return:1  
depth=0 OU = Domain Control Validated, OU = Gandi Standard SSL, CN = www.tumfatig.net  
verify error:num=27:certificate not trusted  
verify return:1  
depth=0 OU = Domain Control Validated, OU = Gandi Standard SSL, CN = www.tumfatig.net  
verify error:num=21:unable to verify the first certificate  
verify return:1  
--
Certificate chain  
0 s:/OU=Domain Control Validated/OU=Gandi Standard SSL/CN=www.tumfatig.net  
i:/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA  
--

We have to download the CA files, convert them to a proper format and install them in the OpenSSL infrastructure :

# ftp http://crt.gandi.net/GandiStandardSSLCA.crt  
# ftp http://crt.usertrust.com/UTNAddTrustServer_CA.crt  
# for CAfile in GandiStandardSSLCA.crt UTNAddTrustServer_CA.crt; do  
  openssl x509 -inform DER -outform PEM -in $CAfile -out $CAfile.pem;  
  openssl x509 -in $CAfile.pem -text >> /etc/ssl/cert.pem;
  done 

Now, here’s what happens when I connect to the SSL service:

# openssl s_client -CAfile /etc/ssl/cert.pem -connect www.tumfatig.net:imaps  
CONNECTED(00000003)  
depth=2 C = US, ST = UT, L = Salt Lake City, O = The USERTRUST Network, OU = http://www.usertrust.com, CN = UTN-USERFirst-Hardware  
verify error:num=2:unable to get issuer certificate  
issuer= C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root  
verify return:0  
--
Certificate chain  
0 s:/OU=Domain Control Validated/OU=Gandi Standard SSL/CN=www.tumfatig.net  
i:/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA  
--

Note that you have to specify the cert.pem file to any client who wish to validate your certificate.

That’s All Folks!