Thursday, October 31, 2013

Adding a certificate to the global certificate chain in Fedora 19

I had the worst kind of problems with Websense rewriting every single SSL certificate for all sorts of Linux terminal commands including 'yum', 'wget', 'svn' and others. Unfortunately it took a bit of research to find out how to properly fix this so I though I'd share what I found out. It's not essential to understand (roughly) what a X509 certificate is and what the difference is between PEM and DER as well as the different kinds of certificate files but it sure helps. As it turns out you can add a certificate in Fedora regardless of whether it is PEM or DER encoded but since I'm a nerd I like to know this kind of stuff. If you are impatient you can skip the next section, it is mostly technical background info.

A bit about PEM/CRT/CER/DER files:

Unfortunately there seems to be a bit of confusion about PEM and DER encoded certificate files. Technically speaking a certificate in PEM format is simply a X.509 certificate encoded in ASN1 (DER) encoding and then run through a Base64 encoder. Each Base64 encoded certificate is enclosed in BEGIN/END ASCII string tags. Multiple such certificates can be concatenated into a single file (using the Linux 'cat' command if necessary). This is what a single certificate and a chain of certificates in PEM format look like:

Example 1: A single certificate in PEM format:

-----BEGIN CERTIFICATE-----
MIIEIzCCAwugAwIBAgIJAIjKQlbSh33iMA0GCSqGSIb3DQEBBQUAMIGnMQswCQYD
VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLTG9zIEFuZ2Vs
ZXMxFzAVBgNVBAoMDkxhenkgRHVkZSBJbmMuMRswGQYDVQQLDBJIYW1tb2NrIERl
cGFydG1lbnQxFDASBgNVBAMMC1N1cmZlciBEdWRlMSEwHwYJKoZIhvcNAQkBFhJu
b2JvZHlAbm93aGVyZS5jb20wHhcNMTMxMDMxMDgyNzIzWhcNMTYwODIwMDgyNzIz
WjCBpzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFDASBgNVBAcM
C0xvcyBBbmdlbGVzMRcwFQYDVQQKDA5MYXp5IER1ZGUgSW5jLjEbMBkGA1UECwwS
SGFtbW9jayBEZXBhcnRtZW50MRQwEgYDVQQDDAtTdXJmZXIgRHVkZTEhMB8GCSqG
SIb3DQEJARYSbm9ib2R5QG5vd2hlcmUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEArylGf3zVhGQ4MoOuNH0PqdIx43t1qjOCTF1JnQFSHjvHgKUs
iueG0PWJdHHkNACeKFBjKnHnbiri4wcNFV7Hgmz0cNVkoLcDTkXnG6JFSro8ddz0
J3LWEy8SBe4c3KXxyhxbf0L1O81Ax1vRbD9JxJXyyeoUis5YkYR37bCgnPOha2ZL
yaViDcJib3lps0m6WVx/HiXWMpP4vOU3r2dGbO19HpdLo4yFxmjVUBimz/qYk+A/
zqOVLqtYp0rU8MUPSBL1t6sbzTgpMleWEZVNPwE3xzS/DVhJwHC/q1WOMlkzRXmb
lnc3iipByxaS6cDBZ852VP3uRW7Kq8dfyceLewIDAQABo1AwTjAdBgNVHQ4EFgQU
+WANOPp+8UmNGqEy5U+M9gD5W0cwHwYDVR0jBBgwFoAU+WANOPp+8UmNGqEy5U+M
9gD5W0cwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEArCXsPaRR0gwb
kVo9y32t4j7Mf84WWfxvxnIhc31BRkl1fOhA0O6CtHMtzpRXbx2IlF2OxEsiS3Hr
6q0bkDEs+IBdw/T2xRFMj814RCQRUR3iR5yuOSnvGT6+nth1mzEP+kVpbvIQfRg2
H4qQEUWC2Bp65Tq4gVjG4difpyC+cTXxLK2Dr6IwnheXqCythO6fTKM7p1asxYc9
EbTfydorCuqhG/pUDMp0At6kqGcCYd5ZzXfD9Hopwn3AI8Nk9rEX9qfqlwXtwkQD
9j+TErlxUt+OzLRfawDECwxegCLxPU4DQt/btqAJd/7P4uCiC9Ah7i2ySWb3Dnd2
dGx4k0s26g==
-----END CERTIFICATE-----

Example 2: A certificate chain in PEM format:
-----BEGIN CERTIFICATE-----
MIIDnDCCAoSgAwIBAgIJAJmHnWWcvUFkMA0GCSqGSIb3DQEBBQUAMDcxDzANBgNV
                         **  snip **
PGC1csm4MaulhuQCWrlXVRmWFC0hVYhzAClxF/Y0gadO/SaG+G5ceXGZPpcdwjaY
9d9ljwimr1xFkeB22yXyxw==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDzzCCAregAwIBAgIDAWweMA0GCSqGSIb3DQEBBQUAMIGNMQswCQYDVQQGEwJB
                         **  snip **
mYHovjrHF1D2t8b8m7CKa9aIA5GPBnc6hQLdmNVDeD/GMBWsm2vLV7eJUYs66MmE
DNuxUCAKGkq6ahq97BvIxYSazQ==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFtTCCA52gAwIBAgIIYY3HhjsBggUwDQYJKoZIhvcNAQEFBQAwRDEWMBQGA1UE
                         **  snip **
r0CodaxWkHS4oJyleW/c6RrIaQXpuvoDs3zk4E7Czp3otkYNbn5XOmeUwssfnHdK
Z05phkOTOPu220+DkdRgfks+KzgHVZhepA==
-----END CERTIFICATE-----

Certificate files come with a confusing variety of file extensions depending on the encoding:
  • *.pem - Certificate in PEM format (ASN1 DER and Base64 encoded). This file extension is common on Linux/Unix systems.
  • *.crt - Certificate is either in PEM format or ASN1 DER encoded. Recognized by Windows and Linux/Unix.
  • *.cer - Certificate is either in PEM format or ASN1 DER encoded. Alternate form of '*.crt' that is recognized by Windows.
  • *.der - Certificate is ASN1 DER encoded only.
The simplest way to tell whether you have a PEM or DER encoded file is to open it with a text editor like vim (ships with Linux, on Windows use Notepad). If the file contains Base64 encoded data sandwiched between BEGIN/END tags as shown in the above examples it is in PEM format. If all you can see is binary jumble, it is probably in raw DER format. If you only have a raw ASN1 DER encoded certificate available you can use the following command to transcode a DER certificate to PEM format:

openssl x509 -inform DER -outform PEM -in foobar.crt -out foobar.pem

This command also works in reverse to transcode PEM encoded certificates back to ASN1 DER format.

Adding your certificate to the global keychain in Fedora 19

It turns out that once you know what the difference between *.pem, *.crt, *.cer and *.der files is adding your Websense certificate to Fedora's global certificate chain is pretty simple. Your Websense system administrator should be able to provide you with a root authority certificate for your Websense system. Once you have that, all you have to do is, get a root shell, copy your *.pem file to the right directory and run one command. I prefer to back up the generated keychains that shipped with Fedora 19 just in case but you can skip that step if you want to:

$ su -
$ cd /etc/pki/ca-trust/extracted/pem
$ mv email-ca-bundle.pem email-ca-bundle.bak
$ mv objsign-ca-bundle.pem objsign-ca-bundle.bak
$ mv tls-ca-bundle.pem tls-ca-bundle.bak
$ cp /path/to/your/certificate/foo.pem /etc/pki/ca-trust/source/anchors/
$ update-ca-trust

The update-ca-trust command takes any PEM or DER encoded certificates you added to the source/anchors directory and adds them to your global certificate chains. You should now see a new set of certificate chains with the *.pem files extension in the /etc/pki/ca-trust/extracted/pem directory (/usr/share/pki/ca-trust-source/anchors/ on some systems) and each chain should contain a copy of your certificate. To make sure your certificate made it into the each of the new keychains just grab a random Base64 encoded line from the PEM encoded certificate you wanted to add and grep for it. The string should appear in the *.pem files but not the *.bak files:

$ grep -l BAQDAgEGMA0GCSqGSIb3DQEBDAUAA4ICAQCzV00QYk465KzquByvMiPIs0laUZx2\
 /etc/pki/ca-trust/extracted/pem/*.*
/etc/pki/ca-trust/extracted/pem/email-ca-bundle.pem
/etc/pki/ca-trust/extracted/pem/objsign-ca-bundle.pem
/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem

For more information you might want to read the man file for  update-ca-trust which, unlike some other man files, is actually human readable.

Tuesday, October 8, 2013

I wanted to compile a C++11 example on OS X 10.8.5 but it took me a while to figure out how.  Using good old g++ with the -std=c++11 option will not work like it does on Linux since g++ is only a symlink to llvm-g++-4.2 on OS X 10.8. Apparently the Gnu compiler is no longer installed due to license issues.  What works is to use clang++, the new(ish) front-end to Apples llvm compiler and for some reason that you have to tell clang++ which C++ standard library to use. For now I'm to lazy to investigate why that is but the following compiled the C++11 example code on cplusplus.com:

clang++ -std=c++11 -stdlib=libc++ cpp11example.cpp -o cpp11example

... or you can download the Gnu compiler and install it but for a few example code that seemed like overkill.