Tuesday, 1 February 2011

Root certificates for MacOS OpenSSL

In an earlier post I mentioned that, while MacOS includes OpenSSL it isn't preconfigured with any trusted root certificates. So before you can use it to do SSL properly you need to provide a set. 

My previous post suggested extracting them from the bundle that comes with Firefox, but I've recently come across a useful article about Alpine on MacOS by Paul Heinlein in which he points out that the MacOS operating system already has a set of preconfigured roots and that these can be extracted using the Keychain Access utility for use by OpenSSL. See his posting for details, but to quote from it:
  1. Open the Keychain Access application and choose the System Roots keychain. Select the Certificates category and you should see 100 or more certificates listed in the main panel of the window.
  2. Click your mouse on any of those certificate entries and then select them all with EditSelect All (Cmd+A).
  3. Once the certificates are all highlighted, export them to a file: FileExport Items…. Use cert as the filename and make sure Privacy Enhanced Mail (.pem) has been chosen as the file format.
  4. Copy the newly created cert.pem into the /System/Library/OpenSSL directory
Now, I wonder why Apple didn't do this for us?

3 comments:

  1. hi...Im student from Informatics engineering nice article,
    thanks for sharing :)

    ReplyDelete
  2. It was the only way to solve a persistent issue my svn host provider wasn't able to fix :)

    Thank you very much

    ReplyDelete
  3. One can also download the curl CA cert bundle and put it in the same location. Bundle and script to create bundle can be obtained here: http://curl.haxx.se/docs/caextract.html

    ReplyDelete