Setting up a directory for OpenSSL's
As I mentioned in Trusting Self-Signed Certificates from Ruby, it is possible to use the
SSL_CERT_DIR environment variable to specify where OpenSSL looks for certificates, instead of just pointing to a file with
SSL_CERT_FILE, but I had some difficulty getting it working.
I managed to work out how to do it, with some help from the man page for SSL_CTX_LOAD_VERIFY_LOCATIONS(3).
Taking the example of my Ruby post above, we'll add the cert for
keystore.openbanking.org.uk, which uses an untrusted CA.
We can use the steps in Extracting SSL/TLS Certificate Chains Using OpenSSL to extract the certificate, and output it as the file
# create our new `SSL_CERT_DIR` $ mkdir -p certs # then get the certificate chain we want to trust $ openssl s_client -showcerts -connect "keystore.openbanking.org.uk:443" < /dev/null 2>/dev/null |\ sed -n -e '/BEGIN\ CERTIFICATE/,/END\ CERTIFICATE/ p' \ > certs/keystore.openbanking.org.uk.pem
NOTE: You must only have one certificate per file, otherwise OpenSSL will fail to verify the given connection. I would recommend using the root-most CA you can get from OpenSSL, rather than the leaf certificate, or an intermediate. Because OpenSSL returns them in reverse order, you want to delete all but the last certificate in i.e.
Next we need to run
c_rehash for OpenSSL to be able to work with the certificates programmatically:
$ cd certs $ c_rehash .
Now we can use this new certs directory to trust lots of untrusted certs:
$ env SSL_CERT_DIR=certs ruby http.rb # ... # it works!