News, tips, partners, and perspectives for the Oracle Solaris operating system

How to add a CA cert to Solaris

CA cert Overview X.509 certificates ("certs") contain a RSA public key and the key's signer ("CN" or "Subject"). This is to verify that some file or object was signed with the key holder's private key. Certificate Authority certificates ("CA certs") are issued by well-known organizations to verify that a cert is legitimate and that the public key in the cert can be trusted.

Solaris-specific Solaris keeps the CA certs in /etc/certs/CA/. Hashed links to the CA certs are in /etc/openssl/certs/ for fast lookup and access (usually by OpenSSL). Usually, each filename in /etc/certs/CA is the cert holder's CN with spaces replaced by underscores ("_") and appended with a .pem file name extension. For example, file /etc/certs/CA/Verisign_Class_4_Public_Primary_Certification_Authority_-_G3.pem contains the cert for CN "VeriSign Class 4 Public Primary Certification Authority - G3"

If a CA cert you need (to verify one of your certs) is missing, you can add the cert yourself. Here's an example of adding a fictitious cert named Elbonia_Root_CA.pem

  • Verify the CA cert is legitimate. Check with the CA cert issuer instead of relying on a third-party. You don't want to "rogue" (invalid) CA certs on your system as that could lead your software trusting rogue certs.

  • It's a good practice to strip extra text before and after the "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" lines. This is not required, but this is in case there's buggy software that can't able to handle the extra text, especially before the "BEGIN" line.
  • Verify the cert is not corrupt. For example: openssl x509 -noout -text -in Elbonia_Root_CA.pem

    This command should display the Issuer, owner (Subject/DN), validity dates, signature algorithm, and public key, among other information.
  • Make or verify the cert is world-readable, if not already. For example:chmod a+r Elbonia_Root_CA.pem; ls -l Elbonia_Root_CA.pem
  • Copy the cert to directory /etc/certs/CA. For example: cp -p Elbonia_Root_CA.pem /etc/certs/CA/
  • Install he cert into /etc/certs/ca-certificates.crt and
    add a hashed link in /etc/openssl/certs/ with this command:/usr/sbin/svcadm restart /system/ca-certificates
  • Verify the CA cert service has restarted (and processed your new CA cert) with: /usr/sbin/svcs /system/ca-certificates
  • If the service hasn't started it could be the cert is corrupt or is a duplicate of an existing CA cert.
    Look for error messages in files /var/svc/log/system-ca-certificates:default.log and /system/volatile/system-ca-certificates:default.log

  • Availability
    The default CA cert files and ca-certificates service were added in Solaris 11.0.

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.