PRELIMINARY PROCEDURES:
It is assumed that openssl has been installed correctly, that the
default cert directory is /usr/local/ssl/certs, (it's often
/etc/ssl/certs, but we need a point of departure for the discussion)
and that lynx has been compiled --with-ssl.
The default location for certs on your system may be different, or
there may not be one. You will have to substitute that location for
/usr/local/ssl/certs in the following instructions, and/or set
environment variables.
To determine the default location for certs on your system you may run
the following command:
strings libcrypto.a | grep -in cert | less
Look in this output for SSL_CERT_DIR
and SSL_CERT_FILE
, and the lines
just above them. This is your default location, respectively, for
certificates, and the CA cert bundle, cert.pem. You will need to know
where libcrypto.a is found of course.
Example output:
7490:/etc/ssl/certs
7491:/etc/ssl/cert.pem
7492:SSL_CERT_DIR
7493:SSL_CERT_FILE
Other possible example output:
31555:/usr/local/ssl/certs
31556:/usr/local/ssl/cert.pem
31557:SSL_CERT_DIR
31558:SSL_CERT_FILE
Note that when OpenSSL is installed, the c_rehash utility is installed
in a bin directory (default /usr/local/ssl/bin
). You will need to
know where it is on your system. The command:
whereis c_rehash
will probably give useful results.
Note also that there is no CA cert bundle distributed with OpenSSL.
The OpenSSL team specifically decided NOT to do that. Getting a set of
trusted certificates is left up to the installer.
It is no longer a fairly trivial procedure to pull the bundle of
trusted root certs out of a recent version of Internet Explorer.
Multiple certificates are no longer exportable as a DER formatted
file; extraction of a single certificate is the only export for DER,
and DER is what converts to PEM.
Users with access to Apple OS X can export all certificates from
Keychain Access System Roots as a .pem file. Place this in
SSL_CERT_DIR and hash it and you're done.
The MirOS BSD project also provides them. The procedure to convert and
install them is detailed later in this document, and if you simply
need to have commercially provided certificates trusted by lynx, you
can skip down a few lines to the INSTALLING OR UPDATING THE CA BUNDLE
section.
Extracted Mozilla cert bundles are available for download from the
curl project http://curl.haxx.se/docs/caextract.html along with a
script to extract from Mozilla source.