Setting up a directory for OpenSSL's SSL_CERT_DIR

As I mentioned in Trusting Self-Signed Certificates from Ruby, it is possible to use the SSL_CERT_DIR environment variable to specify where OpenSSL looks for certificates, instead of just pointing to a file with SSL_CERT_FILE, but I had some difficulty getting it working.

I managed to work out how to do it, with some help from the man page for SSL_CTX_LOAD_VERIFY_LOCATIONS(3).

Taking the example of my Ruby post above, we'll add the cert for keystore.openbanking.org.uk, which uses an untrusted CA.

We can use the steps in Extracting SSL/TLS Certificate Chains Using OpenSSL to extract the certificate, and output it as the file keystore.openbanking.org.uk.pem:

# create our new `SSL_CERT_DIR`
$ mkdir -p certs
# then get the certificate chain we want to trust
$ openssl s_client -showcerts -connect "keystore.openbanking.org.uk:443" < /dev/null 2>/dev/null |\
	sed -n -e '/BEGIN\ CERTIFICATE/,/END\ CERTIFICATE/ p' \
  > certs/keystore.openbanking.org.uk.pem

NOTE: You must only have one certificate per file, otherwise OpenSSL will fail to verify the given connection. I would recommend using the root-most CA you can get from OpenSSL, rather than the leaf certificate, or an intermediate. Because OpenSSL returns them in reverse order, you want to delete all but the last certificate in i.e. certs/keystore.openbanking.org.uk.pem.

Next we need to run c_rehash for OpenSSL to be able to work with the certificates programmatically:

$ cd certs
$ c_rehash .

Now we can use this new certs directory to trust lots of untrusted certs:

$ env SSL_CERT_DIR=certs ruby http.rb
# ...
# it works!

Written by Jamie Tanna's profile image Jamie Tanna on , and last updated on .

Content for this article is shared under the terms of the Creative Commons Attribution Non Commercial Share Alike 4.0 International, and code is shared under the Apache License 2.0.

#blogumentation #openssl #certificates.

This post was filed under articles.

Interactions with this post

Interactions with this post

Below you can find the interactions that this page has had using WebMention.

Have you written a response to this post? Let me know the URL:

Do you not have a website set up with WebMention capabilities? You can use Comment Parade.