ca-certificates

mszyszko · October 29, 2019, 8:39pm

Package:	ca-certificates
Version:	2+git20170807.10b2785-lp151.7.1

Description

I noticed that running update-ca-certificates will not add a certificate to the openssl store if that certificate belongs to a different category than “authority” ( only certificates from the trust list --filter=ca-anchors list will be updated).

I would think that it should also contain certificates belonging to an “other-entry” category, like certificates with a client-auth purpose for example.

Even package’s README (/usr/share/doc/packages/ca-certificates/README) states, that the openssl store contains CA certificates of all purposes.

Details

One of the executed scripts executed on update-ca-certificates contains a trust extract command that filters only “ca-anchors” which will not contain certificates with a “client-auth” purpose.

https://github.com/openSUSE/ca-certificates/blob/master/openssl.run

Question

Is that the correct behavior? If yes - how should I include “client-auth” certificates to the openssl store (so that for example I could run curl without specifing --cacert cert.pem)?

tsu2 · October 29, 2019, 9:23pm

You might find something that is relevant in the parent (root) directory of these ca management utilities

https://github.com/openSUSE/ca-certificates

Notice that there a number of gothcas that support only authority certificates, not all certificate uses.
In other words, if you’re storing your certificate in one of the specified locations, you’ll see what you describe.

TSU

arvidjaar · October 30, 2019, 5:21am

“ca” in “–cacert” stands for Certificate Authority, not for Client Authentication. You provide client key with options --cert or --key.

tsu2 · October 30, 2019, 5:34pm

That might be the case if the client is issued a specific certificate to support mutual authentication.

I was considering though the more common scenario where SSL is implemented as server-only authentication, where the client only needs to store a list of authorized CA, and when an SSL connection is made a client certificate is dynamically created and passed to the User only for that one session.

I might be mistaken, but think that the command is appropriate to import a CA cert as well for that purpose.

TSU