How to install CA cert?

[notooth]

Hello,

Can anyone instruct me to install CA cert on NetBSD?

[IdOp]

Can you clarify your question ... Do you want to install a collection of certificates for common internet sites? Or, do you want to install a cert for one of your local servers?

If the former, IIRC you may need to install one of the mozilla-rootcerts-* packages from pkgsrc.

If the latter, I don't have any NetBSD-specific information. If you can post more details of which server you want to provide a cert for, then maybe someone can help.

[notooth]

Installing mozilla-rootcerts-openssl solved the problem. Thank you for the help.

[IdOp]

Glad to hear that solved it, and you're welcome.

[Sehnsucht94]

Just a heads-up for the fact that starting with NetBSD 10.0, Mozilla certificates and TLS trust anchors are included the base system and mozilla-rootcerts/ca-certificates packages are no longer required (at least, on NetBSD hosts). To handle base certificates, the new certctl(8) utility has been introduced.
Transitioning to the new system from 9.x is described in in the wiki at certctl-transition.
Also, since certctl landed in 10.0_BETA, older 10.0 beta snapshots aren't compatible with recent binary packages for 10.0, so user are invited to upgrade to the latest stable snapshot.

[hackexe]

I know this has been solved but I'd like to do what I can to help demystify TLS certificates as they are without the use of platform-specific tools which does nothing but cause further confusion on this topic. This will only be an extremely simple "summary" on what it means to "install" a TLS certificate.

To "install" a TLS certificate just means to append a copy of it to your system's cert.pem file. You could also save certificates as separate files in a specific directory, but I'll only discuss cert.pem since it's cleaner.

All certificates that you trust are in this plain text cert.pem file. When you append a new certificate to it, you are telling all programs that make use of TLS, and thus utilize cert.pem, that you hereby trust this new certificate.

The cert.pem is (and should be) located under the standard location /etc/ssl. When programs establish TLS connections, they load all certificates that you trust from /etc/ssl/cert.pem. Those programs will generally be configurable so that you can specify which file, or directory, contains all your trusted certificates. That means you can store your certificates anywhere you'd like, but there's really no reason to over-complicate things. Keep a /etc/ssl/cert.pem and call it a day.

There are indeed systems that like to do their own thing with stuff like this, which I think should be kept simple, but you can trust this is how installing, and therefore trusting, TLS certificates works fundamentally.

[jmccue]

Quote:

Originally Posted by Sehnsucht94

Just a heads-up for the fact that starting with NetBSD 10.0, Transitioning to the new system from 9.x is described in in the wiki at certctl-transition.

Thanks, the link above worked great for NetBSD 10.0 RC1. But what about "security/mozilla-rootcerts" ?

Seems a lot of items depend upon it (like firefox115-115.2.0). Do you know if that will still be needed for NetBSD 10.0 ?