CA Cert issue has me stumped

James Simister jsimister at gmail.com
Fri Nov 15 11:31:43 MST 2019


If you use the --cacert option, I think you need to make sure the pem file
is a bundle of certificates, including the entire chain back to the root
cert. There is also a --capath option where you can specify a directory of
certificates that can be used. If using openssl, use the c_rehash command
to reprocess the certificates if you've added or removed any in the
directory.

On Fri, Nov 15, 2019, 11:02 AM Barry Roberts <blr at robertsr.us> wrote:

> My employer, in their infinite wisdom, has implement an TLS inspection
> proxy (MITM attack), and I'm trying to figure out how to get everything
> working again on Fedora 30.
>
> I have a .pem file that I downloaded with firefox.  If I use keytool to
> import that into the java cacerts keystore, that fixes issues with java.
> So I'm pretty sure my .pem file is good.
>
> But I cannot get curl to use the .pem file to trust the ZScaler's CA cert.
> I've tried:
>
> 1. curl --cacert mitm.pem https://nodejs.org
> 2. Adding the .pem file to /etc/pki/ca-trust/source/anchors/, and making
> sure it's in /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem (and its
> symlink /etc/pki/tls/certs/ca-bundle.crt) after running 'update-ca-trust'
> 3. curl --cacert /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
>
> Curl consistently complains that it can't verify the tls cert.  I'm
> probably missing something obvious here, but I'm stuck.  Any ideas or
> suggestions?
>
> Thanks,
> Barry
>
> /*
> PLUG: http://plug.org, #utah on irc.freenode.net
> Unsubscribe: http://plug.org/mailman/options/plug
> Don't fear the penguin.
> */
>


More information about the PLUG mailing list