Telling OpenSSL About Your Root Certificates
OpenSSL doesn’t come with its own trusted root certificates; you have to tell it where to find them. This should be straightforward – and it is – but Apple have found a way to make it trickier.
Normal *nix Systems
On a normal unix system, openssl is pretty good at locating the root certificates, but it still doesn’t automatically reference them. For example running Ubuntu:
john@ubuntu:~$ openssl s_client -connect www.microsoft.com:443
CONNECTED(00000003)
depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network,
OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN =
VeriSign Class 3 Public Primary Certification Authority - G5
verify error:num=20:unable to get local issuer certificate
verify return:0
[...removed for brevity...]
PSK identity hint: None
SRP username: None
Start Time: 1425842365
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
Openssl is unable to validate the Verisign certificate. So where are the trusted root certificates stored? Actually, Openssl will tell us:
john@ubuntu:~$ openssl version -d
OPENSSLDIR: "/usr/lib/ssl"
Add that into the command as the -CApath
parameter, and:
john@ubuntu:~$ openssl s_client -CApath /usr/lib/ssl -connect
www.microsoft.com:443
CONNECTED(00000003)
depth=3 C = US, O = Continue reading