List all available ssl ca certificates

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
23
down vote

favorite
14












My git client claims



error: Peer's Certificate issuer is not recognized.


That means it can not find the corresponding ssl server key in the global system keyring. I want to check this by looking at the list of all system wide available ssl keys on a gentoo linux system. How can I get this list?










share|improve this question



























    up vote
    23
    down vote

    favorite
    14












    My git client claims



    error: Peer's Certificate issuer is not recognized.


    That means it can not find the corresponding ssl server key in the global system keyring. I want to check this by looking at the list of all system wide available ssl keys on a gentoo linux system. How can I get this list?










    share|improve this question

























      up vote
      23
      down vote

      favorite
      14









      up vote
      23
      down vote

      favorite
      14






      14





      My git client claims



      error: Peer's Certificate issuer is not recognized.


      That means it can not find the corresponding ssl server key in the global system keyring. I want to check this by looking at the list of all system wide available ssl keys on a gentoo linux system. How can I get this list?










      share|improve this question















      My git client claims



      error: Peer's Certificate issuer is not recognized.


      That means it can not find the corresponding ssl server key in the global system keyring. I want to check this by looking at the list of all system wide available ssl keys on a gentoo linux system. How can I get this list?







      linux openssl






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Oct 23 '13 at 14:33

























      asked Oct 23 '13 at 12:29









      Jonas Stein

      1,07021033




      1,07021033




















          3 Answers
          3






          active

          oldest

          votes

















          up vote
          42
          down vote



          accepted










          It's not SSL keys you want, it's certificate authorities, and more precisely their certificates.



          You could try:



          awk -v cmd='openssl x509 -noout -subject' '
          /BEGIN/close(cmd);print ' < /etc/ssl/certs/ca-certificates.crt


          To get the "subject" of every CA certificate in /etc/ssl/certs/ca-certificates.crt



          Beware that sometimes, you get that error when SSL servers forget to provided the intermediate certificates.



          Use openssl s_client -showcerts -connect the-git-server:443 to get the list of certificates being sent.






          share|improve this answer
















          • 1




            // , This does not work on CEntOS 6, but I have added an answer for CEntOS 6 here: unix.stackexchange.com/a/363309/48498
            – Nathan Basanese
            May 5 '17 at 21:25

















          up vote
          12
          down vote













          Not sure about Gentoo but most distros put their certificates soft-link in system-wide location at /etc/ssl/certs.



          • Key files go into /etc/ssl/private

          • System-provided actual files are located at /usr/share/ca-certificates

          • Custom certificates go into /usr/local/share/ca-certificates

          Whenever you put a certificate in one of the above mentioned paths, run update-ca-certificates to update /etc/ssl/certs lists.






          share|improve this answer






















          • /etc/ssl/certs is the correct folder in gentoo. But the files are not well to read for human eyes.
            – Jonas Stein
            Oct 23 '13 at 15:09






          • 2




            It's update-ca-certificates with an additional s (can't edit this myself, as it's just a one-character edit).
            – Slaven Rezic
            Jul 17 '17 at 13:01










          • @SlavenRezic - Someone fixed it.
            – Craig S. Anderson
            Sep 13 at 23:22

















          up vote
          0
          down vote













          I had a requirement to list all the certs on our server and notify if they are due to expire. We came up with this command:



          locate .pem | grep ".pem$" | xargs -I openssl x509 -issuer -enddate -noout -in





          share








          New contributor




          Dwight Emmons is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
          Check out our Code of Conduct.

















            Your Answer







            StackExchange.ready(function()
            var channelOptions =
            tags: "".split(" "),
            id: "106"
            ;
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function()
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled)
            StackExchange.using("snippets", function()
            createEditor();
            );

            else
            createEditor();

            );

            function createEditor()
            StackExchange.prepareEditor(
            heartbeatType: 'answer',
            convertImagesToLinks: false,
            noModals: false,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: null,
            bindNavPrevention: true,
            postfix: "",
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            );



            );













             

            draft saved


            draft discarded


















            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f97244%2flist-all-available-ssl-ca-certificates%23new-answer', 'question_page');

            );

            Post as a guest






























            3 Answers
            3






            active

            oldest

            votes








            3 Answers
            3






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes








            up vote
            42
            down vote



            accepted










            It's not SSL keys you want, it's certificate authorities, and more precisely their certificates.



            You could try:



            awk -v cmd='openssl x509 -noout -subject' '
            /BEGIN/close(cmd);print ' < /etc/ssl/certs/ca-certificates.crt


            To get the "subject" of every CA certificate in /etc/ssl/certs/ca-certificates.crt



            Beware that sometimes, you get that error when SSL servers forget to provided the intermediate certificates.



            Use openssl s_client -showcerts -connect the-git-server:443 to get the list of certificates being sent.






            share|improve this answer
















            • 1




              // , This does not work on CEntOS 6, but I have added an answer for CEntOS 6 here: unix.stackexchange.com/a/363309/48498
              – Nathan Basanese
              May 5 '17 at 21:25














            up vote
            42
            down vote



            accepted










            It's not SSL keys you want, it's certificate authorities, and more precisely their certificates.



            You could try:



            awk -v cmd='openssl x509 -noout -subject' '
            /BEGIN/close(cmd);print ' < /etc/ssl/certs/ca-certificates.crt


            To get the "subject" of every CA certificate in /etc/ssl/certs/ca-certificates.crt



            Beware that sometimes, you get that error when SSL servers forget to provided the intermediate certificates.



            Use openssl s_client -showcerts -connect the-git-server:443 to get the list of certificates being sent.






            share|improve this answer
















            • 1




              // , This does not work on CEntOS 6, but I have added an answer for CEntOS 6 here: unix.stackexchange.com/a/363309/48498
              – Nathan Basanese
              May 5 '17 at 21:25












            up vote
            42
            down vote



            accepted







            up vote
            42
            down vote



            accepted






            It's not SSL keys you want, it's certificate authorities, and more precisely their certificates.



            You could try:



            awk -v cmd='openssl x509 -noout -subject' '
            /BEGIN/close(cmd);print ' < /etc/ssl/certs/ca-certificates.crt


            To get the "subject" of every CA certificate in /etc/ssl/certs/ca-certificates.crt



            Beware that sometimes, you get that error when SSL servers forget to provided the intermediate certificates.



            Use openssl s_client -showcerts -connect the-git-server:443 to get the list of certificates being sent.






            share|improve this answer












            It's not SSL keys you want, it's certificate authorities, and more precisely their certificates.



            You could try:



            awk -v cmd='openssl x509 -noout -subject' '
            /BEGIN/close(cmd);print ' < /etc/ssl/certs/ca-certificates.crt


            To get the "subject" of every CA certificate in /etc/ssl/certs/ca-certificates.crt



            Beware that sometimes, you get that error when SSL servers forget to provided the intermediate certificates.



            Use openssl s_client -showcerts -connect the-git-server:443 to get the list of certificates being sent.







            share|improve this answer












            share|improve this answer



            share|improve this answer










            answered Oct 23 '13 at 13:08









            Stéphane Chazelas

            288k54533870




            288k54533870







            • 1




              // , This does not work on CEntOS 6, but I have added an answer for CEntOS 6 here: unix.stackexchange.com/a/363309/48498
              – Nathan Basanese
              May 5 '17 at 21:25












            • 1




              // , This does not work on CEntOS 6, but I have added an answer for CEntOS 6 here: unix.stackexchange.com/a/363309/48498
              – Nathan Basanese
              May 5 '17 at 21:25







            1




            1




            // , This does not work on CEntOS 6, but I have added an answer for CEntOS 6 here: unix.stackexchange.com/a/363309/48498
            – Nathan Basanese
            May 5 '17 at 21:25




            // , This does not work on CEntOS 6, but I have added an answer for CEntOS 6 here: unix.stackexchange.com/a/363309/48498
            – Nathan Basanese
            May 5 '17 at 21:25












            up vote
            12
            down vote













            Not sure about Gentoo but most distros put their certificates soft-link in system-wide location at /etc/ssl/certs.



            • Key files go into /etc/ssl/private

            • System-provided actual files are located at /usr/share/ca-certificates

            • Custom certificates go into /usr/local/share/ca-certificates

            Whenever you put a certificate in one of the above mentioned paths, run update-ca-certificates to update /etc/ssl/certs lists.






            share|improve this answer






















            • /etc/ssl/certs is the correct folder in gentoo. But the files are not well to read for human eyes.
              – Jonas Stein
              Oct 23 '13 at 15:09






            • 2




              It's update-ca-certificates with an additional s (can't edit this myself, as it's just a one-character edit).
              – Slaven Rezic
              Jul 17 '17 at 13:01










            • @SlavenRezic - Someone fixed it.
              – Craig S. Anderson
              Sep 13 at 23:22














            up vote
            12
            down vote













            Not sure about Gentoo but most distros put their certificates soft-link in system-wide location at /etc/ssl/certs.



            • Key files go into /etc/ssl/private

            • System-provided actual files are located at /usr/share/ca-certificates

            • Custom certificates go into /usr/local/share/ca-certificates

            Whenever you put a certificate in one of the above mentioned paths, run update-ca-certificates to update /etc/ssl/certs lists.






            share|improve this answer






















            • /etc/ssl/certs is the correct folder in gentoo. But the files are not well to read for human eyes.
              – Jonas Stein
              Oct 23 '13 at 15:09






            • 2




              It's update-ca-certificates with an additional s (can't edit this myself, as it's just a one-character edit).
              – Slaven Rezic
              Jul 17 '17 at 13:01










            • @SlavenRezic - Someone fixed it.
              – Craig S. Anderson
              Sep 13 at 23:22












            up vote
            12
            down vote










            up vote
            12
            down vote









            Not sure about Gentoo but most distros put their certificates soft-link in system-wide location at /etc/ssl/certs.



            • Key files go into /etc/ssl/private

            • System-provided actual files are located at /usr/share/ca-certificates

            • Custom certificates go into /usr/local/share/ca-certificates

            Whenever you put a certificate in one of the above mentioned paths, run update-ca-certificates to update /etc/ssl/certs lists.






            share|improve this answer














            Not sure about Gentoo but most distros put their certificates soft-link in system-wide location at /etc/ssl/certs.



            • Key files go into /etc/ssl/private

            • System-provided actual files are located at /usr/share/ca-certificates

            • Custom certificates go into /usr/local/share/ca-certificates

            Whenever you put a certificate in one of the above mentioned paths, run update-ca-certificates to update /etc/ssl/certs lists.







            share|improve this answer














            share|improve this answer



            share|improve this answer








            edited Jan 27 at 21:52









            Sam Brightman

            19316




            19316










            answered Oct 23 '13 at 12:45









            SHW

            7,75133470




            7,75133470











            • /etc/ssl/certs is the correct folder in gentoo. But the files are not well to read for human eyes.
              – Jonas Stein
              Oct 23 '13 at 15:09






            • 2




              It's update-ca-certificates with an additional s (can't edit this myself, as it's just a one-character edit).
              – Slaven Rezic
              Jul 17 '17 at 13:01










            • @SlavenRezic - Someone fixed it.
              – Craig S. Anderson
              Sep 13 at 23:22
















            • /etc/ssl/certs is the correct folder in gentoo. But the files are not well to read for human eyes.
              – Jonas Stein
              Oct 23 '13 at 15:09






            • 2




              It's update-ca-certificates with an additional s (can't edit this myself, as it's just a one-character edit).
              – Slaven Rezic
              Jul 17 '17 at 13:01










            • @SlavenRezic - Someone fixed it.
              – Craig S. Anderson
              Sep 13 at 23:22















            /etc/ssl/certs is the correct folder in gentoo. But the files are not well to read for human eyes.
            – Jonas Stein
            Oct 23 '13 at 15:09




            /etc/ssl/certs is the correct folder in gentoo. But the files are not well to read for human eyes.
            – Jonas Stein
            Oct 23 '13 at 15:09




            2




            2




            It's update-ca-certificates with an additional s (can't edit this myself, as it's just a one-character edit).
            – Slaven Rezic
            Jul 17 '17 at 13:01




            It's update-ca-certificates with an additional s (can't edit this myself, as it's just a one-character edit).
            – Slaven Rezic
            Jul 17 '17 at 13:01












            @SlavenRezic - Someone fixed it.
            – Craig S. Anderson
            Sep 13 at 23:22




            @SlavenRezic - Someone fixed it.
            – Craig S. Anderson
            Sep 13 at 23:22










            up vote
            0
            down vote













            I had a requirement to list all the certs on our server and notify if they are due to expire. We came up with this command:



            locate .pem | grep ".pem$" | xargs -I openssl x509 -issuer -enddate -noout -in





            share








            New contributor




            Dwight Emmons is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
            Check out our Code of Conduct.





















              up vote
              0
              down vote













              I had a requirement to list all the certs on our server and notify if they are due to expire. We came up with this command:



              locate .pem | grep ".pem$" | xargs -I openssl x509 -issuer -enddate -noout -in





              share








              New contributor




              Dwight Emmons is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
              Check out our Code of Conduct.



















                up vote
                0
                down vote










                up vote
                0
                down vote









                I had a requirement to list all the certs on our server and notify if they are due to expire. We came up with this command:



                locate .pem | grep ".pem$" | xargs -I openssl x509 -issuer -enddate -noout -in





                share








                New contributor




                Dwight Emmons is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                Check out our Code of Conduct.









                I had a requirement to list all the certs on our server and notify if they are due to expire. We came up with this command:



                locate .pem | grep ".pem$" | xargs -I openssl x509 -issuer -enddate -noout -in






                share








                New contributor




                Dwight Emmons is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                Check out our Code of Conduct.








                share


                share






                New contributor




                Dwight Emmons is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                Check out our Code of Conduct.









                answered 9 mins ago









                Dwight Emmons

                1




                1




                New contributor




                Dwight Emmons is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                Check out our Code of Conduct.





                New contributor





                Dwight Emmons is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                Check out our Code of Conduct.






                Dwight Emmons is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                Check out our Code of Conduct.



























                     

                    draft saved


                    draft discarded















































                     


                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function ()
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f97244%2flist-all-available-ssl-ca-certificates%23new-answer', 'question_page');

                    );

                    Post as a guest













































































                    Popular posts from this blog

                    How to check contact read email or not when send email to Individual?

                    Displaying single band from multi-band raster using QGIS

                    How many registers does an x86_64 CPU actually have?