Tuning your PKIX Trust-store

Setup

BEFORE you get rid of the ancien trust-store, keep using it to grab the new one through HTTPS

grab the latest certificate bundle and check it fingerpring

cd /etc/ssl/
wget https://curl.se/ca/cacert.pem
wget https://curl.se/ca/cacert.pem.sha256
# --no-check-certificate

sha256sum cacert.pem
#shasum -a 256 cacert.pem
cat cacert.pem.sha256

# Thu Sep 30 03:12:05 2021 GMT
f524fc21859b776e18df01a87880efa198112214e13494275dbcbd9bcb71d976

THEN get rid of the ancien trust-store

# Ubuntu
#dpkg-reconfigure ca-certificates
#update-ca-certificates
apt purge ca-certificates

# Slackware
#ls -lF /var/lib/pkgtools/packages/ca-certificates-*
#update-ca-certificates
removepkg ca-certificates

cd /etc/ssl/
rm -rf certs/
rm -rf private/

diff -bu /usr/lib/ssl/openssl.cnf /etc/ssl/openssl.cnf
diff -bu /etc/ssl/openssl.cnf.dist /etc/ssl/openssl.cnf

SSL trust store tuning

tune some clients accordingly

mv -i /etc/wgetrc /etc/wgetrc.dist
grep -vE '^[[:space:]]*(;|#|$)' /etc/wgetrc.dist > /etc/wgetrc
vi /etc/wgetrc

ca_certificate = /etc/ssl/cacert.pem

there is no system-wide config for Curl

vi ~/.curlrc

cacert /etc/ssl/cacert.pem

–OR–

vi ~/.profile

export CURL_CA_BUNDLE=/etc/ssl/cacert.pem

Troubles

to check remote certificates, some application or daemon need hashed symlinks to single PEM file certificates (not bundled)

assuming the daemon is not in a chroot

$OPENSSL_HOME/bin/c_rehash /etc/ssl/certs

now for GIT

vi ~/.gitconfig

[http]
    sslCAinfo = /etc/ssl/cacert.pem

and enable your own customized new defaults for some other clients

mkdir certs/
cd certs/
ln -s ../cacert.pem ca-certificates.crt

Resources

curl

https://docs.bolt.cm/4.0/howto/curl-ca-certificates

https://docs.boltcms.io/5.0/howto/curl-ca-certificates

https://gist.github.com/olih/a50ce2181a657eefb041


GUIDES | LECTURES | BENCHMARKS | SMTP HEALTH