Trust the gandi.net CA on OpenBSD

This website provides some HTTPS service. I bought the SSL certificate from a French provider called “Gandi”. Unfortunately, it seems their issuer is not known by OpenBSD nor is their own CA trusted by Firefox. As this is in the FAQ, they provide the CA file to manually import in Firefox. Once done, Firefox trusts the whole SSL path. We’ll use this to install the SSL trust path in OpenBSD ; in the OpenSSL instance.

Grab the CA certificates

When I read the www.tumfatig.net certificate details from Safari or Firefox, I can see that the gandi.net CA provide a certificate here: http://crt.gandi.net/GandiStandardSSLCA.crt. Then, when installed on Firefox and/or Safari, I can see Gandi uses “The USERTRUST Network” as an issuer. Their CA certificate is available here: http://crt.usertrust.com/UTNAddTrustServer_CA.crt.

Those files can be download directly from Firefox or Safari. But we’ll use OpenBSD to do the whole stuff.

Install the CA trust path

What happens if I try to connect using SSL to some service protected by my certificate is:

# openssl s_client -connect www.tumfatig.net:imaps
CONNECTED(00000003)
depth=0 OU = Domain Control Validated, OU = Gandi Standard SSL, CN = www.tumfatig.net
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = Domain Control Validated, OU = Gandi Standard SSL, CN = www.tumfatig.net
verify error:num=27:certificate not trusted
verify return:1
depth=0 OU = Domain Control Validated, OU = Gandi Standard SSL, CN = www.tumfatig.net
verify error:num=21:unable to verify the first certificate
verify return:1

Certificate chain
0 s:/OU=Domain Control Validated/OU=Gandi Standard SSL/CN=www.tumfatig.net
i:/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA

We have to download the CA files, convert them to a proper format and install them in the OpenSSL infrastructure :

# ftp http://crt.gandi.net/GandiStandardSSLCA.crt
# ftp http://crt.usertrust.com/UTNAddTrustServer_CA.crt
# for CAfile in GandiStandardSSLCA.crt UTNAddTrustServer_CA.crt; do
openssl x509 -inform DER -outform PEM -in $CAfile -out $CAfile.pem;
openssl x509 -in $CAfile.pem -text >> /etc/ssl/cert.pem
done

Now, here’s what happens when I connect to the SSL service:

# openssl s_client -CAfile /etc/ssl/cert.pem -connect www.tumfatig.net:imaps
CONNECTED(00000003)
depth=2 C = US, ST = UT, L = Salt Lake City, O = The USERTRUST Network, OU = http://www.usertrust.com, CN = UTN-USERFirst-Hardware
verify error:num=2:unable to get issuer certificate
issuer= C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify return:0

Certificate chain
0 s:/OU=Domain Control Validated/OU=Gandi Standard SSL/CN=www.tumfatig.net
i:/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA

Note that you have to specify the cert.pem file to any client who wish to validate your certificate.

That’s All Folks!

No Comments

Leave a Reply

%d bloggers like this: