Voir :
curl
$ strace -f --trace=%file curl https://www.acme.fr 2>&1 |egrep -v 'ENOENT|/lib/' |grep ^open openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/etc/passwd", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/etc/ssl/certs/ca-certificates.crt", O_RDONLY) = 6 openat(AT_FDCWD, "/etc/localtime", O_RDONLY|O_CLOEXEC) = 6
A voir si curl utilise la LIBNSS
Test
curl -v -s --noproxy '*' -D - https://127.0.0.1:443/some-secure-endpoint
Afficher les CA sous Debian
awk -v cmd='openssl x509 -noout -subject' ' /BEGIN/{close(cmd)};{print | cmd}' < /etc/ssl/certs/ca-certificates.crt
Afficher les CA sous RedHat
awk -v cmd='openssl x509 -noout -subject' ' /BEGIN/{close(cmd)};{print | cmd}' < /etc/pki/tls/certs/ca-bundle.crt
Vérifier les CA
openssl s_client -connect localhost:7000 -servername www.acme.fr -CAfile /tmp/cert.pem </dev/null
trust list --filter=ca-anchors --purpose=server-auth |grep ACME -i -A2 -B3
find /etc/ssl/certs -type l -iname "*.0" -exec cat "{}" \; | awk -v cmd='openssl x509 -noout -subject -enddate 2>/dev/null | tr "\n" " " ; echo' '/BEGIN/{cert=""};{cert=sprintf("%s\n%s",cert,$0)};/END/{print cert | cmd ;close(cmd)}' | sed -r 's:^subject=::' | sort -u # Autres cat /etc/ssl/certs/ca-certificates.crt | keytool -printcert 2>/dev/null | grep "^Certificate\[" -A11 | less csplit -z ca-bundle.crt /#/ '{*}'
Liste blanche / noire
# /etc/pki/ca-trust/source/whitelist/ # update-ca-trust
# trust dump --filter "pkcs11:id=%BD%BD%98%7A%34%B4%26%F7%FA%C4%26%54%EF%03%BD%E0%24%CB%54%1B;type=cert" > /etc/pki/ca-trust/source/blacklist/addtrust-external-root.p11-kit
# update-ca-trust extract
# trust list | grep -C2 "AddTrust External"
p11-kit: overriding trust for anchor in blacklist: addtrust-external-root.p11-kit
pkcs11:id=%bd%bd%98%7a%34%b4%26%f7%fa%c4%26%54%ef%03%bd%e0%24%cb%54%1B;type=cert
type: certificate
label: AddTrust External Root
trust: blacklisted
category: authority
Sauvegarde PKI RedHat
# Sauvegarde cp -a /etc/pki /etc/pki.bak # Restore rsync -ax --delete /etc/pki.bak/ /etc/pki/
Remove a CA certificate
trust anchor --remove pkcs11:id=%15%FF%08%56%E0%6C%64%24%D0%56%70%91%87%8A%2B%2C%C6%5C%DD%34;type=cert # ou trust anchor --remove path.to/certificate.crt
or
rm /etc/pki/ca-trust/source/anchors/<CA Certificate Filename> update-ca-trust
Source : https://www.redhat.com/sysadmin/configure-ca-trust-list
Cut bundle into individual files:
csplit -z ca-bundle.crt /#/ '{*}'
Remove blank lines:
sed -i '/^$/d' xx*
Rename files:
for file in xx*; do mv $file $(head -n 1 $file | tr -d \#" "); done
Voir :
curl http://satellite.example.com/pub/katello-server-ca.crt -o /etc/pki/ca-trust/source/anchors/satellite-ca.crt update-ca-trust
# # rpm -ql ca-certificates
# rpm -q --filesbypkg ca-certificates |awk '/bin\// { print $2}'
/usr/bin/ca-legacy
/usr/bin/update-ca-trust