DaemonForums  

Go Back   DaemonForums > NetBSD > NetBSD Security

NetBSD Security Securing NetBSD.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 6th November 2019
notooth notooth is offline
Shell Scout
 
Join Date: Jul 2015
Posts: 125
Default How to install CA cert?

Hello,

Can anyone instruct me to install CA cert on NetBSD?
Reply With Quote
  #2   (View Single Post)  
Old 6th November 2019
IdOp's Avatar
IdOp IdOp is offline
Too dumb for a smartphone
 
Join Date: May 2008
Location: twisting on the daemon's fork(2)
Posts: 1,027
Default

Can you clarify your question ... Do you want to install a collection of certificates for common internet sites? Or, do you want to install a cert for one of your local servers?

If the former, IIRC you may need to install one of the mozilla-rootcerts-* packages from pkgsrc.

If the latter, I don't have any NetBSD-specific information. If you can post more details of which server you want to provide a cert for, then maybe someone can help.

Last edited by IdOp; 6th November 2019 at 07:29 PM.
Reply With Quote
  #3   (View Single Post)  
Old 6th November 2019
notooth notooth is offline
Shell Scout
 
Join Date: Jul 2015
Posts: 125
Default

Installing mozilla-rootcerts-openssl solved the problem. Thank you for the help.
Reply With Quote
  #4   (View Single Post)  
Old 7th November 2019
IdOp's Avatar
IdOp IdOp is offline
Too dumb for a smartphone
 
Join Date: May 2008
Location: twisting on the daemon's fork(2)
Posts: 1,027
Default

Glad to hear that solved it, and you're welcome.
Reply With Quote
  #5   (View Single Post)  
Old 4th October 2023
Sehnsucht94's Avatar
Sehnsucht94 Sehnsucht94 is offline
Real Name: Paolo Vincenzo Olivo
Package Pilot
 
Join Date: Oct 2017
Location: Rome
Posts: 169
Default

Just a heads-up for the fact that starting with NetBSD 10.0, Mozilla certificates and TLS trust anchors are included the base system and mozilla-rootcerts/ca-certificates packages are no longer required (at least, on NetBSD hosts). To handle base certificates, the new certctl(8) utility has been introduced.
Transitioning to the new system from 9.x is described in in the wiki at certctl-transition.
Also, since certctl landed in 10.0_BETA, older 10.0 beta snapshots aren't compatible with recent binary packages for 10.0, so user are invited to upgrade to the latest stable snapshot.
__________________
“Mi casa tendrá dos piernas y mis sueños no tendrán fronteras„

Last edited by Sehnsucht94; 5th October 2023 at 02:32 PM.
Reply With Quote
  #6   (View Single Post)  
Old 25th November 2023
hackexe hackexe is offline
New User
 
Join Date: Nov 2023
Posts: 7
Default

I know this has been solved but I'd like to do what I can to help demystify TLS certificates as they are without the use of platform-specific tools which does nothing but cause further confusion on this topic. This will only be an extremely simple "summary" on what it means to "install" a TLS certificate.

To "install" a TLS certificate just means to append a copy of it to your system's cert.pem file. You could also save certificates as separate files in a specific directory, but I'll only discuss cert.pem since it's cleaner.

All certificates that you trust are in this plain text cert.pem file. When you append a new certificate to it, you are telling all programs that make use of TLS, and thus utilize cert.pem, that you hereby trust this new certificate.

The cert.pem is (and should be) located under the standard location /etc/ssl. When programs establish TLS connections, they load all certificates that you trust from /etc/ssl/cert.pem. Those programs will generally be configurable so that you can specify which file, or directory, contains all your trusted certificates. That means you can store your certificates anywhere you'd like, but there's really no reason to over-complicate things. Keep a /etc/ssl/cert.pem and call it a day.

There are indeed systems that like to do their own thing with stuff like this, which I think should be kept simple, but you can trust this is how installing, and therefore trusting, TLS certificates works fundamentally.
Reply With Quote
  #7   (View Single Post)  
Old 25th November 2023
jmccue jmccue is offline
Real Name: John McCue
Package Pilot
 
Join Date: Aug 2012
Location: here
Posts: 188
Default

Quote:
Originally Posted by Sehnsucht94 View Post
Just a heads-up for the fact that starting with NetBSD 10.0, Transitioning to the new system from 9.x is described in in the wiki at certctl-transition.
Thanks, the link above worked great for NetBSD 10.0 RC1. But what about "security/mozilla-rootcerts" ?

Seems a lot of items depend upon it (like firefox115-115.2.0). Do you know if that will still be needed for NetBSD 10.0 ?
__________________
[t]csh(1) - "An elegant shell, for a more... civilized age."
- Paraphrasing Star Wars (tvtropes.org)
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Cant install anything after fresh install bsd007 OpenBSD Installation and Upgrading 3 9th October 2017 09:32 PM
BSDA cert exam now available at IQT testing centers nilsgecko News 21 12th May 2011 12:08 AM
How - To install GNOME vile I install OpenBSD ? looop OpenBSD Installation and Upgrading 6 24th April 2010 08:58 PM
US-CERT: Broadcom NetXtreme network cards vulnerable J65nko News 0 27th March 2010 09:42 PM


All times are GMT. The time now is 12:11 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick