Testing Node for out of date root CA Certificates

Logon to a node that you suspect has an out of date root CA certificates (ca-bundle.crt) file.

Use the following tool to test out an https web site. Plugin your own website that you suspect as not working due to an out of date root CA certificate.

openssl s_client -connect www.redhat.com:443

If you see the following output then you have confirmed an out of date root CA certificate.

...
    Verify return code: 20 (unable to get local issuer certificate)
...

Making CA Certificates File

Use the following procedures to create a new root CA certificate file if you have determined that a newer file is necessary.

Download and save the following text file into the netwatch project folder under src/node/ssl.

http://lxr.mozilla.org/seamonkey/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1

Use the Perl script to generate the certificate file from the text file.

cd netwatch/src/node/ssl
mkcabundle.pl > ca-bundle.crt

Of course you want to follow good development practices and commit these changes into CVS.

cvs commit

Copy the new root CA certificate file to the appropriate directory.

cp ca-bundle.crt /usr/share/ssl/certs/ca-bundle.crt

Now execute the following command to determine the location of the open ssl configuration file.

openssl
OpenSSL> ca
Using configuration from /usr/share/ssl/openssl.cnf
./demoCA/private/cakey.pem: No such file or directory
trying to load CA private key
10403:error:02001002:system library:fopen:No such file or directory:bss_file.c:245:fopen('./demoCA/private/cakey.pem','r')
10403:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:247:
error in ca
OpenSSL> quit

Goto this directory.

cd /usr/share/ssl

Now edit the configuration file openssl.cnf and make sure the contents include the following:

dir             = .                     # Where everything is kept

certificate     = $dir/cacert.pem       # The CA certificate

Create symbolic link

ln -s cacert.pem certificates/ca-bundle.crt

Test your Secure HTTP site again and see how it works.

openssl s_client -connect www.redhat.com:443

You should now see the following in your output.

...
    Verify return code: 0 (ok)
...

Updating CA Certificates (last edited 2006-09-21 18:49:51 by mark)