Trust the gandi.net CA on OpenBSD
This website provides some HTTPS service. I bought the SSL certificate from a French provider called “Gandi”. Unfortunately, it seems their issuer is not known by OpenBSD nor is their own CA trusted by Firefox. As this is in the FAQ, they provide the CA file to manually import in Firefox. Once done, Firefox trusts the whole SSL path. We’ll use this to install the SSL trust path in OpenBSD ; in the OpenSSL instance.
Grab the CA certificates
When I read the
www.tumfatig.net certificate details from Safari or Firefox,
I can see that the gandi.net CA provide a certificate here:
. Then, when installed on Firefox
and/or Safari, I can see Gandi uses “The USERTRUST Network” as an issuer. Their
CA certificate is available here:
Those files can be download directly from Firefox or Safari. But we’ll use OpenBSD to do the whole stuff.
Install the CA trust path
What happens if I try to connect using SSL to some service protected by my certificate is:
# openssl s_client -connect www.tumfatig.net:imaps CONNECTED(00000003) depth=0 OU = Domain Control Validated, OU = Gandi Standard SSL, CN = www.tumfatig.net verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 OU = Domain Control Validated, OU = Gandi Standard SSL, CN = www.tumfatig.net verify error:num=27:certificate not trusted verify return:1 depth=0 OU = Domain Control Validated, OU = Gandi Standard SSL, CN = www.tumfatig.net verify error:num=21:unable to verify the first certificate verify return:1 -- Certificate chain 0 s:/OU=Domain Control Validated/OU=Gandi Standard SSL/CN=www.tumfatig.net i:/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA --
We have to download the CA files, convert them to a proper format and install them in the OpenSSL infrastructure :
# ftp http://crt.gandi.net/GandiStandardSSLCA.crt # ftp http://crt.usertrust.com/UTNAddTrustServer_CA.crt # for CAfile in GandiStandardSSLCA.crt UTNAddTrustServer_CA.crt; do openssl x509 -inform DER -outform PEM -in $CAfile -out $CAfile.pem; openssl x509 -in $CAfile.pem -text >> /etc/ssl/cert.pem; done
Now, here’s what happens when I connect to the SSL service:
# openssl s_client -CAfile /etc/ssl/cert.pem -connect www.tumfatig.net:imaps CONNECTED(00000003) depth=2 C = US, ST = UT, L = Salt Lake City, O = The USERTRUST Network, OU = http://www.usertrust.com, CN = UTN-USERFirst-Hardware verify error:num=2:unable to get issuer certificate issuer= C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root verify return:0 -- Certificate chain 0 s:/OU=Domain Control Validated/OU=Gandi Standard SSL/CN=www.tumfatig.net i:/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA --
Note that you have to specify the
cert.pem file to any client who wish to
validate your certificate.
That’s All Folks!