Onde e como obtenho e instalo certificados para uma nova instalação do OpenSSL?

0

Acabei de compilar o OpenSSL e o navegador da Web Lynx. Eu gostaria de navegar em sites HTTPS. Entendo que preciso obter certificados das CAs que esses sites usam e que também preciso de algum tipo de certificado. O navegador da web chama o OpenSSL corretamente, mas não consigo navegar na Internet porque não tenho uma lista inicial de certificados de autoridade de certificação.

Alguém tem documentação que explica como obter esses certificados e obter o OpenSSL para consumi-los?

Obrigado

    
por enthdegree 31.05.2017 / 17:58

2 respostas

2

Para tornar seu navegador lidando com SSL / TLS, você deve instalar nos certificados raiz de seu navegador de diferentes autoridades de certificação. Com esses certificados, seu navegador reconhecerá as chaves de sinete e as aceitará. Você pode verificar aqui a lista de CAs instaladas no Mozilla e os próprios certificados.

P.S. Para instalar certificados, você deve verificar a documentação do seu navegador

    
por 31.05.2017 / 18:21
0

Does anyone have documentation that explains how to get these certificates and get OpenSSL to consume them?

De Lynx README.sslcerts :

PRELIMINARY PROCEDURES:

It is assumed that openssl has been installed correctly, that the default cert directory is /usr/local/ssl/certs, (it's often /etc/ssl/certs, but we need a point of departure for the discussion) and that lynx has been compiled --with-ssl.

The default location for certs on your system may be different, or there may not be one. You will have to substitute that location for /usr/local/ssl/certs in the following instructions, and/or set environment variables.

To determine the default location for certs on your system you may run the following command:

strings libcrypto.a  | grep -in cert | less

Look in this output for SSL_CERT_DIR and SSL_CERT_FILE, and the lines just above them. This is your default location, respectively, for certificates, and the CA cert bundle, cert.pem. You will need to know where libcrypto.a is found of course.

Example output:

7490:/etc/ssl/certs
7491:/etc/ssl/cert.pem
7492:SSL_CERT_DIR
7493:SSL_CERT_FILE

Other possible example output:

31555:/usr/local/ssl/certs
31556:/usr/local/ssl/cert.pem
31557:SSL_CERT_DIR
31558:SSL_CERT_FILE

Note that when OpenSSL is installed, the c_rehash utility is installed in a bin directory (default /usr/local/ssl/bin). You will need to know where it is on your system. The command:

whereis c_rehash

will probably give useful results.

Note also that there is no CA cert bundle distributed with OpenSSL. The OpenSSL team specifically decided NOT to do that. Getting a set of trusted certificates is left up to the installer.

It is no longer a fairly trivial procedure to pull the bundle of trusted root certs out of a recent version of Internet Explorer. Multiple certificates are no longer exportable as a DER formatted file; extraction of a single certificate is the only export for DER, and DER is what converts to PEM.

Users with access to Apple OS X can export all certificates from Keychain Access System Roots as a .pem file. Place this in SSL_CERT_DIR and hash it and you're done.

The MirOS BSD project also provides them. The procedure to convert and install them is detailed later in this document, and if you simply need to have commercially provided certificates trusted by lynx, you can skip down a few lines to the INSTALLING OR UPDATING THE CA BUNDLE section.

Extracted Mozilla cert bundles are available for download from the curl project http://curl.haxx.se/docs/caextract.html along with a script to extract from Mozilla source.

    
por 14.06.2017 / 22:23