Mailing List Archive

I like this idea but I think the diff is broken. Initial comments: 1. mktemp fails - shouldn't it be -p not -t? 2. the generated cert.pem has permissions 0600 root:wheel in my testing, it needs to be world-readable, should it be 0444 root:bin? 3. I would think cert.local.pem should have 0644 perms 4. With this tucked away into /etc/rc, what is the official update procedure to regenerate cert.pem when adding a certificate? 5. where in the man pages do we note the existence of cert.local.pem? Regards Lloyd Sebastien Marie wrote: > Hi, > > Following previous discussion on misc@ about how to add private trusted > certificate authorities on OpenBSD, I tried to look at it. > > The following diff does: > - installing the trusted cert.pem (from lib/libcrypto) as cert.base.pem > - in rc(8), generate cert.pem from cert.base.pem (the system one) and > cert.local.pem (the local file) > > The rest is about using cert.base.pem for installer or for rc (checking > libssl.so relinking). > > misc@ discussion : https://marc.info/?l=openbsd-misc&m=177808544804485&w=2 > > Comments ? > -- > Sebastien Marie > > > diff --git a/distrib/amd64/ramdisk_cd/list b/distrib/amd64/ramdisk_cd/list > index 2daf2d018e..88e2461bef 100644 > --- a/distrib/amd64/ramdisk_cd/list > +++ b/distrib/amd64/ramdisk_cd/list > @@ -69,7 +69,7 @@ > ARGVLINK ksh -sh > SPECIAL rm bin/md5 > > -SPECIAL awk -f ${UTILS}/trimcerts.awk ${DESTDIR}/etc/ssl/cert.pem etc/ssl/cert.pem > +SPECIAL awk -f ${UTILS}/trimcerts.awk ${DESTDIR}/etc/ssl/cert.base.pem etc/ssl/cert.base.pem > LINK instbin usr/bin/ftp-ssl usr/bin/ftp > SPECIAL rm usr/bin/ftp-ssl > > diff --git a/distrib/arm64/ramdisk/list b/distrib/arm64/ramdisk/list > index 3a8ae2e6dd..e820b3d4f7 100644 > --- a/distrib/arm64/ramdisk/list > +++ b/distrib/arm64/ramdisk/list > @@ -70,7 +70,7 @@ > ARGVLINK ksh -sh > SPECIAL rm bin/md5 > > -SPECIAL awk -f ${UTILS}/trimcerts.awk ${DESTDIR}/etc/ssl/cert.pem etc/ssl/cert.pem > +SPECIAL awk -f ${UTILS}/trimcerts.awk ${DESTDIR}/etc/ssl/cert.base.pem etc/ssl/cert.base.pem > LINK instbin usr/bin/ftp-ssl usr/bin/ftp > SPECIAL rm usr/bin/ftp-ssl > > diff --git a/distrib/armv7/ramdisk/list b/distrib/armv7/ramdisk/list > index a0f50dd607..b0745aa85a 100644 > --- a/distrib/armv7/ramdisk/list > +++ b/distrib/armv7/ramdisk/list > @@ -69,7 +69,7 @@ > ARGVLINK ksh -sh > SPECIAL rm bin/md5 > > -SPECIAL awk -f ${UTILS}/trimcerts.awk ${DESTDIR}/etc/ssl/cert.pem etc/ssl/cert.pem > +SPECIAL awk -f ${UTILS}/trimcerts.awk ${DESTDIR}/etc/ssl/cert.base.pem etc/ssl/cert.base.pem > LINK instbin usr/bin/ftp-ssl usr/bin/ftp > SPECIAL rm usr/bin/ftp-ssl > > diff --git a/distrib/hppa/ramdisk/list b/distrib/hppa/ramdisk/list > index f6a78a103f..db2e4c4227 100644 > --- a/distrib/hppa/ramdisk/list > +++ b/distrib/hppa/ramdisk/list > @@ -61,7 +61,7 @@ > ARGVLINK ksh -sh > SPECIAL rm bin/md5 > > -SPECIAL awk -f ${UTILS}/trimcerts.awk ${DESTDIR}/etc/ssl/cert.pem etc/ssl/cert.pem > +SPECIAL awk -f ${UTILS}/trimcerts.awk ${DESTDIR}/etc/ssl/cert.base.pem etc/ssl/cert.base.pem > LINK instbin usr/bin/ftp-ssl usr/bin/ftp > SPECIAL rm usr/bin/ftp-ssl > > diff --git a/distrib/i386/ramdisk_cd/list b/distrib/i386/ramdisk_cd/list > index d582b5bdff..1feed9ae90 100644 > --- a/distrib/i386/ramdisk_cd/list > +++ b/distrib/i386/ramdisk_cd/list > @@ -66,7 +66,7 @@ > ARGVLINK ksh -sh > SPECIAL rm bin/md5 > > -SPECIAL awk -f ${UTILS}/trimcerts.awk ${DESTDIR}/etc/ssl/cert.pem etc/ssl/cert.pem > +SPECIAL awk -f ${UTILS}/trimcerts.awk ${DESTDIR}/etc/ssl/cert.base.pem etc/ssl/cert.base.pem > LINK instbin usr/bin/ftp-ssl usr/bin/ftp > SPECIAL rm usr/bin/ftp-ssl > > diff --git a/distrib/macppc/ramdisk/list b/distrib/macppc/ramdisk/list > index 62d9d91dd6..63425b9021 100644 > --- a/distrib/macppc/ramdisk/list > +++ b/distrib/macppc/ramdisk/list > @@ -67,7 +67,7 @@ > ARGVLINK ksh -sh > SPECIAL rm bin/md5 > > -SPECIAL awk -f ${UTILS}/trimcerts.awk ${DESTDIR}/etc/ssl/cert.pem etc/ssl/cert.pem > +SPECIAL awk -f ${UTILS}/trimcerts.awk ${DESTDIR}/etc/ssl/cert.base.pem etc/ssl/cert.base.pem > LINK instbin usr/bin/ftp-ssl usr/bin/ftp > SPECIAL rm usr/bin/ftp-ssl > > diff --git a/distrib/miniroot/install.sub b/distrib/miniroot/install.sub > index 983881cfb3..a5f25ced10 100644 > --- a/distrib/miniroot/install.sub > +++ b/distrib/miniroot/install.sub > @@ -3662,7 +3662,8 @@ > [[ $1 == -!(stable) ]] && HTTP_SETDIR=snapshots/$ARCH > > # Detect if ftp(1) has tls support and set defaults based on that. > -if [[ -e /etc/ssl/cert.pem ]]; then > +if [[ -e /etc/ssl/cert.base.pem ]]; then > + ln -f /etc/ssl/cert.base.pem /etc/ssl/cert.pem > FTP_TLS=true > HTTP_PROTO=https > else > diff --git a/distrib/octeon/ramdisk/list b/distrib/octeon/ramdisk/list > index 10638a6d6f..9260ec11c7 100644 > --- a/distrib/octeon/ramdisk/list > +++ b/distrib/octeon/ramdisk/list > @@ -65,7 +65,7 @@ > ARGVLINK ksh -sh > SPECIAL rm bin/md5 > > -SPECIAL awk -f ${UTILS}/trimcerts.awk ${DESTDIR}/etc/ssl/cert.pem etc/ssl/cert.pem > +SPECIAL awk -f ${UTILS}/trimcerts.awk ${DESTDIR}/etc/ssl/cert.base.pem etc/ssl/cert.base.pem > LINK instbin usr/bin/ftp-ssl usr/bin/ftp > SPECIAL rm usr/bin/ftp-ssl > > diff --git a/distrib/powerpc64/ramdisk/list b/distrib/powerpc64/ramdisk/list > index 8ae92b67a4..0291e02071 100644 > --- a/distrib/powerpc64/ramdisk/list > +++ b/distrib/powerpc64/ramdisk/list > @@ -68,7 +68,7 @@ > ARGVLINK ksh -sh > SPECIAL rm bin/md5 > > -SPECIAL awk -f ${UTILS}/trimcerts.awk ${DESTDIR}/etc/ssl/cert.pem etc/ssl/cert.pem > +SPECIAL awk -f ${UTILS}/trimcerts.awk ${DESTDIR}/etc/ssl/cert.base.pem etc/ssl/cert.base.pem > LINK instbin usr/bin/ftp-ssl usr/bin/ftp > SPECIAL rm usr/bin/ftp-ssl > > diff --git a/distrib/riscv64/ramdisk/list b/distrib/riscv64/ramdisk/list > index d04c6addcd..832d58174d 100644 > --- a/distrib/riscv64/ramdisk/list > +++ b/distrib/riscv64/ramdisk/list > @@ -67,7 +67,7 @@ > ARGVLINK ksh -sh > SPECIAL rm bin/md5 > > -SPECIAL awk -f ${UTILS}/trimcerts.awk ${DESTDIR}/etc/ssl/cert.pem etc/ssl/cert.pem > +SPECIAL awk -f ${UTILS}/trimcerts.awk ${DESTDIR}/etc/ssl/cert.base.pem etc/ssl/cert.base.pem > LINK instbin usr/bin/ftp-ssl usr/bin/ftp > SPECIAL rm usr/bin/ftp-ssl > > diff --git a/distrib/sets/lists/etc/mi b/distrib/sets/lists/etc/mi > index 2be6c70eb6..57a64e025c 100644 > --- a/distrib/sets/lists/etc/mi > +++ b/distrib/sets/lists/etc/mi > @@ -37,7 +37,7 @@ > ./etc/spwd.db > ./etc/ssh/ssh_config > ./etc/ssh/sshd_config > -./etc/ssl/cert.pem > +./etc/ssl/cert.base.pem > ./etc/ssl/ikeca.cnf > ./etc/ssl/openssl.cnf > ./etc/ssl/x509v3.cnf > diff --git a/etc/changelist b/etc/changelist > index 0dc0188b18..6da8ad922e 100644 > --- a/etc/changelist > +++ b/etc/changelist > @@ -148,7 +148,8 @@ > +/etc/ssh/ssh_host_rsa_key > /etc/ssh/ssh_host_rsa_key.pub > /etc/ssh/sshd_config > -/etc/ssl/cert.pem > +/etc/ssl/cert.base.pem > +/etc/ssl/cert.local.pem > /etc/suid_profile > /etc/sysctl.conf > /etc/syslog.conf > diff --git a/etc/rc b/etc/rc > index 53ceedd713..fa1b560aa2 100644 > --- a/etc/rc > +++ b/etc/rc > @@ -227,7 +227,7 @@ > [[ -s $_lib ]] && file $_lib | fgrep -q 'shared object' > LD_BIND_NOW=1 LD_LIBRARY_PATH=$_tmpdir awk 'BEGIN {exit 0}' > LD_BIND_NOW=1 LD_LIBRARY_PATH=$_tmpdir openssl \ > - x509 -in /etc/ssl/cert.pem -out /dev/null > + x509 -in /etc/ssl/cert.base.pem -out /dev/null > $_install $_lib $_lib_dir/$_lib > fi > ) || { _error=true; break; } > @@ -348,6 +348,33 @@ > esac > } > > +# Regenerate /etc/ssl/cert.pem from base and local files. > +regen_ssl_cert_pem() { > + cert_tmp=$(mktemp -t /etc/ssl cert.pem.XXXXXXXX) && { > + > + # always use cert.base.pem as base file > + cat /etc/ssl/cert.base.pem >${cert_tmp} > + > + # append cert.local.pem to cert.pem if exists > + [ -r /etc/ssl/cert.local.pem ] && \ > + cat /etc/ssl/cert.local.pem >>${cert_tmp} > + > + # check the resulting file is valid > + if openssl x509 -in ${cert_tmp} -out /dev/null ; then > + # pivot to cert.pem file > + mv -f ${cert_tmp} /etc/ssl/cert.pem > + else > + rm -f ${cert_tmp} > + fi > + } > + > + # ensure we have a cert.pem file > + if [ ! -e /etc/ssl/cert.pem ] ; then > + echo "error: fallback to default cert.pem" >&2 > + ln -f /etc/ssl/cert.base.pem /etc/ssl/cert.pem > + fi > +} > + > # End subroutines. > > stty status '^T' > @@ -503,6 +530,8 @@ > mount -s /var/log >/dev/null 2>&1 # cannot be on NFS > mount -s /usr >/dev/null 2>&1 # if NFS, fstab must use IP address > > +regen_ssl_cert_pem > + > reorder_libs 2>&1 |& > > start_daemon slaacd dhcpleased resolvd >/dev/null 2>&1 > diff --git a/lib/libcrypto/Makefile b/lib/libcrypto/Makefile > index 92866400c2..cbac0b8090 100644 > --- a/lib/libcrypto/Makefile > +++ b/lib/libcrypto/Makefile > @@ -748,7 +748,7 @@ > ${INSTALL} ${INSTALL_COPY} -o ${BINOWN} -g ${BINGRP} -m 444 \ > ${.CURDIR}/openssl.cnf ${DESTDIR}/etc/ssl/openssl.cnf && \ > ${INSTALL} ${INSTALL_COPY} -o ${BINOWN} -g ${BINGRP} -m 444 \ > - ${.CURDIR}/cert.pem ${DESTDIR}/etc/ssl/cert.pem && \ > + ${.CURDIR}/cert.pem ${DESTDIR}/etc/ssl/cert.base.pem && \ > ${INSTALL} ${INSTALL_COPY} -o ${BINOWN} -g ${BINGRP} -m 444 \ > ${.CURDIR}/x509v3.cnf ${DESTDIR}/etc/ssl/x509v3.cnf > > >

2026-05-22 17:28 Sebastien Marie:
/etc/ssl/cert.pem : concatenate system and local files
- 2026-05-22 19:31 Lloyd:
  /etc/ssl/cert.pem : concatenate system and local files
- - 2026-05-22 20:07 Sebastien Marie:
    /etc/ssl/cert.pem : concatenate system and local files
  - - 2026-05-22 20:25 Lloyd:
      /etc/ssl/cert.pem : concatenate system and local files