Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
OpenSSL CA certificates in /etc/ssl/certs/*
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 7414
Location: almost Mile High in the USA

PostPosted: Tue Feb 11, 2020 4:20 am    Post subject: OpenSSL CA certificates in /etc/ssl/certs/* Reply with quote

How are the files in there accessed in general? Is there another list/database that points to these files?

It seems the names of the files are arbitrary. And the symlinks? What are they for?

There are a bunch of files:

descriptive_name.pem
(32-bit hex number).0

I suspect the 32-bit hex number is some sort of hash... How is this hash generated? Are the descriptive_names ever used or are they always indexed by the hash.0 file?

Has the contents of the directory or database changed from older OpenSSL? Implementation specific? Other SSL implementations?

Root problem: I have an ancient Linux using OpenSSL 0.9.8 I believe. The CA certificates in this directory are... shall we say... old. I wonder if it's possible to update the certificates by copying updated ones into the certificate directory manually?

As this is not a Gentoo box I think I may have misplaced this post, but I am planning to copy the CA certificates from a Gentoo box to this machine...
_________________
Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD
What am I supposed watching?
Back to top
View user's profile Send private message
Princess Nell
l33t
l33t


Joined: 15 Apr 2005
Posts: 777

PostPosted: Sun Feb 23, 2020 5:34 pm    Post subject: Reply with quote

Yes, that hash has changed. See x509(1ssl) for details (HISTORY section). For details on the computation, see openssl source code. Or take a look at https://stackoverflow.com/questions/30261296/generate-subject-hash-of-x509certificate-in-java for an overview description. If you want to regenerate the hash directory for the old version, you may need to use c_rehash on the old box, or regenerate the directory on the new box (preferably into a temp location) using openssl's -subject_hash_old option. See also c_rehash(1ssl).
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum