From: Sebastien Marie Subject: /etc/ssl/cert.pem : concatenate system and local files To: tech@openbsd.org Date: Fri, 22 May 2026 19:28:13 +0200 Hi, Following previous discussion on misc@ about how to add private trusted certificate authorities on OpenBSD, I tried to look at it. The following diff does: - installing the trusted cert.pem (from lib/libcrypto) as cert.base.pem - in rc(8), generate cert.pem from cert.base.pem (the system one) and cert.local.pem (the local file) The rest is about using cert.base.pem for installer or for rc (checking libssl.so relinking). misc@ discussion : https://marc.info/?l=openbsd-misc&m=177808544804485&w=2 Comments ? -- Sebastien Marie diff --git a/distrib/amd64/ramdisk_cd/list b/distrib/amd64/ramdisk_cd/list index 2daf2d018e..88e2461bef 100644 --- a/distrib/amd64/ramdisk_cd/list +++ b/distrib/amd64/ramdisk_cd/list @@ -69,7 +69,7 @@ ARGVLINK ksh -sh SPECIAL rm bin/md5 -SPECIAL awk -f ${UTILS}/trimcerts.awk ${DESTDIR}/etc/ssl/cert.pem etc/ssl/cert.pem +SPECIAL awk -f ${UTILS}/trimcerts.awk ${DESTDIR}/etc/ssl/cert.base.pem etc/ssl/cert.base.pem LINK instbin usr/bin/ftp-ssl usr/bin/ftp SPECIAL rm usr/bin/ftp-ssl diff --git a/distrib/arm64/ramdisk/list b/distrib/arm64/ramdisk/list index 3a8ae2e6dd..e820b3d4f7 100644 --- a/distrib/arm64/ramdisk/list +++ b/distrib/arm64/ramdisk/list @@ -70,7 +70,7 @@ ARGVLINK ksh -sh SPECIAL rm bin/md5 -SPECIAL awk -f ${UTILS}/trimcerts.awk ${DESTDIR}/etc/ssl/cert.pem etc/ssl/cert.pem +SPECIAL awk -f ${UTILS}/trimcerts.awk ${DESTDIR}/etc/ssl/cert.base.pem etc/ssl/cert.base.pem LINK instbin usr/bin/ftp-ssl usr/bin/ftp SPECIAL rm usr/bin/ftp-ssl diff --git a/distrib/armv7/ramdisk/list b/distrib/armv7/ramdisk/list index a0f50dd607..b0745aa85a 100644 --- a/distrib/armv7/ramdisk/list +++ b/distrib/armv7/ramdisk/list @@ -69,7 +69,7 @@ ARGVLINK ksh -sh SPECIAL rm bin/md5 -SPECIAL awk -f ${UTILS}/trimcerts.awk ${DESTDIR}/etc/ssl/cert.pem etc/ssl/cert.pem +SPECIAL awk -f ${UTILS}/trimcerts.awk ${DESTDIR}/etc/ssl/cert.base.pem etc/ssl/cert.base.pem LINK instbin usr/bin/ftp-ssl usr/bin/ftp SPECIAL rm usr/bin/ftp-ssl diff --git a/distrib/hppa/ramdisk/list b/distrib/hppa/ramdisk/list index f6a78a103f..db2e4c4227 100644 --- a/distrib/hppa/ramdisk/list +++ b/distrib/hppa/ramdisk/list @@ -61,7 +61,7 @@ ARGVLINK ksh -sh SPECIAL rm bin/md5 -SPECIAL awk -f ${UTILS}/trimcerts.awk ${DESTDIR}/etc/ssl/cert.pem etc/ssl/cert.pem +SPECIAL awk -f ${UTILS}/trimcerts.awk ${DESTDIR}/etc/ssl/cert.base.pem etc/ssl/cert.base.pem LINK instbin usr/bin/ftp-ssl usr/bin/ftp SPECIAL rm usr/bin/ftp-ssl diff --git a/distrib/i386/ramdisk_cd/list b/distrib/i386/ramdisk_cd/list index d582b5bdff..1feed9ae90 100644 --- a/distrib/i386/ramdisk_cd/list +++ b/distrib/i386/ramdisk_cd/list @@ -66,7 +66,7 @@ ARGVLINK ksh -sh SPECIAL rm bin/md5 -SPECIAL awk -f ${UTILS}/trimcerts.awk ${DESTDIR}/etc/ssl/cert.pem etc/ssl/cert.pem +SPECIAL awk -f ${UTILS}/trimcerts.awk ${DESTDIR}/etc/ssl/cert.base.pem etc/ssl/cert.base.pem LINK instbin usr/bin/ftp-ssl usr/bin/ftp SPECIAL rm usr/bin/ftp-ssl diff --git a/distrib/macppc/ramdisk/list b/distrib/macppc/ramdisk/list index 62d9d91dd6..63425b9021 100644 --- a/distrib/macppc/ramdisk/list +++ b/distrib/macppc/ramdisk/list @@ -67,7 +67,7 @@ ARGVLINK ksh -sh SPECIAL rm bin/md5 -SPECIAL awk -f ${UTILS}/trimcerts.awk ${DESTDIR}/etc/ssl/cert.pem etc/ssl/cert.pem +SPECIAL awk -f ${UTILS}/trimcerts.awk ${DESTDIR}/etc/ssl/cert.base.pem etc/ssl/cert.base.pem LINK instbin usr/bin/ftp-ssl usr/bin/ftp SPECIAL rm usr/bin/ftp-ssl diff --git a/distrib/miniroot/install.sub b/distrib/miniroot/install.sub index 983881cfb3..a5f25ced10 100644 --- a/distrib/miniroot/install.sub +++ b/distrib/miniroot/install.sub @@ -3662,7 +3662,8 @@ [[ $1 == -!(stable) ]] && HTTP_SETDIR=snapshots/$ARCH # Detect if ftp(1) has tls support and set defaults based on that. -if [[ -e /etc/ssl/cert.pem ]]; then +if [[ -e /etc/ssl/cert.base.pem ]]; then + ln -f /etc/ssl/cert.base.pem /etc/ssl/cert.pem FTP_TLS=true HTTP_PROTO=https else diff --git a/distrib/octeon/ramdisk/list b/distrib/octeon/ramdisk/list index 10638a6d6f..9260ec11c7 100644 --- a/distrib/octeon/ramdisk/list +++ b/distrib/octeon/ramdisk/list @@ -65,7 +65,7 @@ ARGVLINK ksh -sh SPECIAL rm bin/md5 -SPECIAL awk -f ${UTILS}/trimcerts.awk ${DESTDIR}/etc/ssl/cert.pem etc/ssl/cert.pem +SPECIAL awk -f ${UTILS}/trimcerts.awk ${DESTDIR}/etc/ssl/cert.base.pem etc/ssl/cert.base.pem LINK instbin usr/bin/ftp-ssl usr/bin/ftp SPECIAL rm usr/bin/ftp-ssl diff --git a/distrib/powerpc64/ramdisk/list b/distrib/powerpc64/ramdisk/list index 8ae92b67a4..0291e02071 100644 --- a/distrib/powerpc64/ramdisk/list +++ b/distrib/powerpc64/ramdisk/list @@ -68,7 +68,7 @@ ARGVLINK ksh -sh SPECIAL rm bin/md5 -SPECIAL awk -f ${UTILS}/trimcerts.awk ${DESTDIR}/etc/ssl/cert.pem etc/ssl/cert.pem +SPECIAL awk -f ${UTILS}/trimcerts.awk ${DESTDIR}/etc/ssl/cert.base.pem etc/ssl/cert.base.pem LINK instbin usr/bin/ftp-ssl usr/bin/ftp SPECIAL rm usr/bin/ftp-ssl diff --git a/distrib/riscv64/ramdisk/list b/distrib/riscv64/ramdisk/list index d04c6addcd..832d58174d 100644 --- a/distrib/riscv64/ramdisk/list +++ b/distrib/riscv64/ramdisk/list @@ -67,7 +67,7 @@ ARGVLINK ksh -sh SPECIAL rm bin/md5 -SPECIAL awk -f ${UTILS}/trimcerts.awk ${DESTDIR}/etc/ssl/cert.pem etc/ssl/cert.pem +SPECIAL awk -f ${UTILS}/trimcerts.awk ${DESTDIR}/etc/ssl/cert.base.pem etc/ssl/cert.base.pem LINK instbin usr/bin/ftp-ssl usr/bin/ftp SPECIAL rm usr/bin/ftp-ssl diff --git a/distrib/sets/lists/etc/mi b/distrib/sets/lists/etc/mi index 2be6c70eb6..57a64e025c 100644 --- a/distrib/sets/lists/etc/mi +++ b/distrib/sets/lists/etc/mi @@ -37,7 +37,7 @@ ./etc/spwd.db ./etc/ssh/ssh_config ./etc/ssh/sshd_config -./etc/ssl/cert.pem +./etc/ssl/cert.base.pem ./etc/ssl/ikeca.cnf ./etc/ssl/openssl.cnf ./etc/ssl/x509v3.cnf diff --git a/etc/changelist b/etc/changelist index 0dc0188b18..6da8ad922e 100644 --- a/etc/changelist +++ b/etc/changelist @@ -148,7 +148,8 @@ +/etc/ssh/ssh_host_rsa_key /etc/ssh/ssh_host_rsa_key.pub /etc/ssh/sshd_config -/etc/ssl/cert.pem +/etc/ssl/cert.base.pem +/etc/ssl/cert.local.pem /etc/suid_profile /etc/sysctl.conf /etc/syslog.conf diff --git a/etc/rc b/etc/rc index 53ceedd713..fa1b560aa2 100644 --- a/etc/rc +++ b/etc/rc @@ -227,7 +227,7 @@ [[ -s $_lib ]] && file $_lib | fgrep -q 'shared object' LD_BIND_NOW=1 LD_LIBRARY_PATH=$_tmpdir awk 'BEGIN {exit 0}' LD_BIND_NOW=1 LD_LIBRARY_PATH=$_tmpdir openssl \ - x509 -in /etc/ssl/cert.pem -out /dev/null + x509 -in /etc/ssl/cert.base.pem -out /dev/null $_install $_lib $_lib_dir/$_lib fi ) || { _error=true; break; } @@ -348,6 +348,33 @@ esac } +# Regenerate /etc/ssl/cert.pem from base and local files. +regen_ssl_cert_pem() { + cert_tmp=$(mktemp -t /etc/ssl cert.pem.XXXXXXXX) && { + + # always use cert.base.pem as base file + cat /etc/ssl/cert.base.pem >${cert_tmp} + + # append cert.local.pem to cert.pem if exists + [ -r /etc/ssl/cert.local.pem ] && \ + cat /etc/ssl/cert.local.pem >>${cert_tmp} + + # check the resulting file is valid + if openssl x509 -in ${cert_tmp} -out /dev/null ; then + # pivot to cert.pem file + mv -f ${cert_tmp} /etc/ssl/cert.pem + else + rm -f ${cert_tmp} + fi + } + + # ensure we have a cert.pem file + if [ ! -e /etc/ssl/cert.pem ] ; then + echo "error: fallback to default cert.pem" >&2 + ln -f /etc/ssl/cert.base.pem /etc/ssl/cert.pem + fi +} + # End subroutines. stty status '^T' @@ -503,6 +530,8 @@ mount -s /var/log >/dev/null 2>&1 # cannot be on NFS mount -s /usr >/dev/null 2>&1 # if NFS, fstab must use IP address +regen_ssl_cert_pem + reorder_libs 2>&1 |& start_daemon slaacd dhcpleased resolvd >/dev/null 2>&1 diff --git a/lib/libcrypto/Makefile b/lib/libcrypto/Makefile index 92866400c2..cbac0b8090 100644 --- a/lib/libcrypto/Makefile +++ b/lib/libcrypto/Makefile @@ -748,7 +748,7 @@ ${INSTALL} ${INSTALL_COPY} -o ${BINOWN} -g ${BINGRP} -m 444 \ ${.CURDIR}/openssl.cnf ${DESTDIR}/etc/ssl/openssl.cnf && \ ${INSTALL} ${INSTALL_COPY} -o ${BINOWN} -g ${BINGRP} -m 444 \ - ${.CURDIR}/cert.pem ${DESTDIR}/etc/ssl/cert.pem && \ + ${.CURDIR}/cert.pem ${DESTDIR}/etc/ssl/cert.base.pem && \ ${INSTALL} ${INSTALL_COPY} -o ${BINOWN} -g ${BINGRP} -m 444 \ ${.CURDIR}/x509v3.cnf ${DESTDIR}/etc/ssl/x509v3.cnf