Thursday, October 31, 2013

Adding a certificate to the global certificate chain in Fedora 19

I had the worst kind of problems with Websense rewriting every single SSL certificate for all sorts of Linux terminal commands including 'yum', 'wget', 'svn' and others. Unfortunately it took a bit of research to find out how to properly fix this so I though I'd share what I found out. It's not essential to understand (roughly) what a X509 certificate is and what the difference is between PEM and DER as well as the different kinds of certificate files but it sure helps. As it turns out you can add a certificate in Fedora regardless of whether it is PEM or DER encoded but since I'm a nerd I like to know this kind of stuff. If you are impatient you can skip the next section, it is mostly technical background info.

A bit about PEM/CRT/CER/DER files:

Unfortunately there seems to be a bit of confusion about PEM and DER encoded certificate files. Technically speaking a certificate in PEM format is simply a X.509 certificate encoded in ASN1 (DER) encoding and then run through a Base64 encoder. Each Base64 encoded certificate is enclosed in BEGIN/END ASCII string tags. Multiple such certificates can be concatenated into a single file (using the Linux 'cat' command if necessary). This is what a single certificate and a chain of certificates in PEM format look like:

Example 1: A single certificate in PEM format:


Example 2: A certificate chain in PEM format:
                         **  snip **
                         **  snip **
                         **  snip **

Certificate files come with a confusing variety of file extensions depending on the encoding:
  • *.pem - Certificate in PEM format (ASN1 DER and Base64 encoded). This file extension is common on Linux/Unix systems.
  • *.crt - Certificate is either in PEM format or ASN1 DER encoded. Recognized by Windows and Linux/Unix.
  • *.cer - Certificate is either in PEM format or ASN1 DER encoded. Alternate form of '*.crt' that is recognized by Windows.
  • *.der - Certificate is ASN1 DER encoded only.
The simplest way to tell whether you have a PEM or DER encoded file is to open it with a text editor like vim (ships with Linux, on Windows use Notepad). If the file contains Base64 encoded data sandwiched between BEGIN/END tags as shown in the above examples it is in PEM format. If all you can see is binary jumble, it is probably in raw DER format. If you only have a raw ASN1 DER encoded certificate available you can use the following command to transcode a DER certificate to PEM format:

openssl x509 -inform DER -outform PEM -in foobar.crt -out foobar.pem

This command also works in reverse to transcode PEM encoded certificates back to ASN1 DER format.

Adding your certificate to the global keychain in Fedora 19

It turns out that once you know what the difference between *.pem, *.crt, *.cer and *.der files is adding your Websense certificate to Fedora's global certificate chain is pretty simple. Your Websense system administrator should be able to provide you with a root authority certificate for your Websense system. Once you have that, all you have to do is, get a root shell, copy your *.pem file to the right directory and run one command. I prefer to back up the generated keychains that shipped with Fedora 19 just in case but you can skip that step if you want to:

$ su -
$ cd /etc/pki/ca-trust/extracted/pem
$ mv email-ca-bundle.pem email-ca-bundle.bak
$ mv objsign-ca-bundle.pem objsign-ca-bundle.bak
$ mv tls-ca-bundle.pem tls-ca-bundle.bak
$ cp /path/to/your/certificate/foo.pem /etc/pki/ca-trust/source/anchors/
$ update-ca-trust

The update-ca-trust command takes any PEM or DER encoded certificates you added to the source/anchors directory and adds them to your global certificate chains. You should now see a new set of certificate chains with the *.pem files extension in the /etc/pki/ca-trust/extracted/pem directory (/usr/share/pki/ca-trust-source/anchors/ on some systems) and each chain should contain a copy of your certificate. To make sure your certificate made it into the each of the new keychains just grab a random Base64 encoded line from the PEM encoded certificate you wanted to add and grep for it. The string should appear in the *.pem files but not the *.bak files:


For more information you might want to read the man file for  update-ca-trust which, unlike some other man files, is actually human readable.

Tuesday, October 8, 2013

I wanted to compile a C++11 example on OS X 10.8.5 but it took me a while to figure out how.  Using good old g++ with the -std=c++11 option will not work like it does on Linux since g++ is only a symlink to llvm-g++-4.2 on OS X 10.8. Apparently the Gnu compiler is no longer installed due to license issues.  What works is to use clang++, the new(ish) front-end to Apples llvm compiler and for some reason that you have to tell clang++ which C++ standard library to use. For now I'm to lazy to investigate why that is but the following compiled the C++11 example code on

clang++ -std=c++11 -stdlib=libc++ cpp11example.cpp -o cpp11example

... or you can download the Gnu compiler and install it but for a few example code that seemed like overkill.