List all available ssl ca certificates
Clash Royale CLAN TAG#URR8PPP
up vote
23
down vote
favorite
My git client claims
error: Peer's Certificate issuer is not recognized.
That means it can not find the corresponding ssl server key in the global system keyring. I want to check this by looking at the list of all system wide available ssl keys on a gentoo linux system. How can I get this list?
linux openssl
add a comment |Â
up vote
23
down vote
favorite
My git client claims
error: Peer's Certificate issuer is not recognized.
That means it can not find the corresponding ssl server key in the global system keyring. I want to check this by looking at the list of all system wide available ssl keys on a gentoo linux system. How can I get this list?
linux openssl
add a comment |Â
up vote
23
down vote
favorite
up vote
23
down vote
favorite
My git client claims
error: Peer's Certificate issuer is not recognized.
That means it can not find the corresponding ssl server key in the global system keyring. I want to check this by looking at the list of all system wide available ssl keys on a gentoo linux system. How can I get this list?
linux openssl
My git client claims
error: Peer's Certificate issuer is not recognized.
That means it can not find the corresponding ssl server key in the global system keyring. I want to check this by looking at the list of all system wide available ssl keys on a gentoo linux system. How can I get this list?
linux openssl
linux openssl
edited Oct 23 '13 at 14:33
asked Oct 23 '13 at 12:29
Jonas Stein
1,07021033
1,07021033
add a comment |Â
add a comment |Â
3 Answers
3
active
oldest
votes
up vote
42
down vote
accepted
It's not SSL keys you want, it's certificate authorities, and more precisely their certificates.
You could try:
awk -v cmd='openssl x509 -noout -subject' '
/BEGIN/close(cmd);print ' < /etc/ssl/certs/ca-certificates.crt
To get the "subject" of every CA certificate in /etc/ssl/certs/ca-certificates.crt
Beware that sometimes, you get that error when SSL servers forget to provided the intermediate certificates.
Use openssl s_client -showcerts -connect the-git-server:443
to get the list of certificates being sent.
1
// , This does not work on CEntOS 6, but I have added an answer for CEntOS 6 here: unix.stackexchange.com/a/363309/48498
â Nathan Basanese
May 5 '17 at 21:25
add a comment |Â
up vote
12
down vote
Not sure about Gentoo but most distros put their certificates soft-link in system-wide location at /etc/ssl/certs
.
- Key files go into
/etc/ssl/private
- System-provided actual files are located at
/usr/share/ca-certificates
- Custom certificates go into
/usr/local/share/ca-certificates
Whenever you put a certificate in one of the above mentioned paths, run update-ca-certificates
to update /etc/ssl/certs
lists.
/etc/ssl/certs
is the correct folder in gentoo. But the files are not well to read for human eyes.
â Jonas Stein
Oct 23 '13 at 15:09
2
It'supdate-ca-certificates
with an additionals
(can't edit this myself, as it's just a one-character edit).
â Slaven Rezic
Jul 17 '17 at 13:01
@SlavenRezic - Someone fixed it.
â Craig S. Anderson
Sep 13 at 23:22
add a comment |Â
up vote
0
down vote
I had a requirement to list all the certs on our server and notify if they are due to expire. We came up with this command:
locate .pem | grep ".pem$" | xargs -I openssl x509 -issuer -enddate -noout -in
New contributor
add a comment |Â
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
42
down vote
accepted
It's not SSL keys you want, it's certificate authorities, and more precisely their certificates.
You could try:
awk -v cmd='openssl x509 -noout -subject' '
/BEGIN/close(cmd);print ' < /etc/ssl/certs/ca-certificates.crt
To get the "subject" of every CA certificate in /etc/ssl/certs/ca-certificates.crt
Beware that sometimes, you get that error when SSL servers forget to provided the intermediate certificates.
Use openssl s_client -showcerts -connect the-git-server:443
to get the list of certificates being sent.
1
// , This does not work on CEntOS 6, but I have added an answer for CEntOS 6 here: unix.stackexchange.com/a/363309/48498
â Nathan Basanese
May 5 '17 at 21:25
add a comment |Â
up vote
42
down vote
accepted
It's not SSL keys you want, it's certificate authorities, and more precisely their certificates.
You could try:
awk -v cmd='openssl x509 -noout -subject' '
/BEGIN/close(cmd);print ' < /etc/ssl/certs/ca-certificates.crt
To get the "subject" of every CA certificate in /etc/ssl/certs/ca-certificates.crt
Beware that sometimes, you get that error when SSL servers forget to provided the intermediate certificates.
Use openssl s_client -showcerts -connect the-git-server:443
to get the list of certificates being sent.
1
// , This does not work on CEntOS 6, but I have added an answer for CEntOS 6 here: unix.stackexchange.com/a/363309/48498
â Nathan Basanese
May 5 '17 at 21:25
add a comment |Â
up vote
42
down vote
accepted
up vote
42
down vote
accepted
It's not SSL keys you want, it's certificate authorities, and more precisely their certificates.
You could try:
awk -v cmd='openssl x509 -noout -subject' '
/BEGIN/close(cmd);print ' < /etc/ssl/certs/ca-certificates.crt
To get the "subject" of every CA certificate in /etc/ssl/certs/ca-certificates.crt
Beware that sometimes, you get that error when SSL servers forget to provided the intermediate certificates.
Use openssl s_client -showcerts -connect the-git-server:443
to get the list of certificates being sent.
It's not SSL keys you want, it's certificate authorities, and more precisely their certificates.
You could try:
awk -v cmd='openssl x509 -noout -subject' '
/BEGIN/close(cmd);print ' < /etc/ssl/certs/ca-certificates.crt
To get the "subject" of every CA certificate in /etc/ssl/certs/ca-certificates.crt
Beware that sometimes, you get that error when SSL servers forget to provided the intermediate certificates.
Use openssl s_client -showcerts -connect the-git-server:443
to get the list of certificates being sent.
answered Oct 23 '13 at 13:08
Stéphane Chazelas
288k54533870
288k54533870
1
// , This does not work on CEntOS 6, but I have added an answer for CEntOS 6 here: unix.stackexchange.com/a/363309/48498
â Nathan Basanese
May 5 '17 at 21:25
add a comment |Â
1
// , This does not work on CEntOS 6, but I have added an answer for CEntOS 6 here: unix.stackexchange.com/a/363309/48498
â Nathan Basanese
May 5 '17 at 21:25
1
1
// , This does not work on CEntOS 6, but I have added an answer for CEntOS 6 here: unix.stackexchange.com/a/363309/48498
â Nathan Basanese
May 5 '17 at 21:25
// , This does not work on CEntOS 6, but I have added an answer for CEntOS 6 here: unix.stackexchange.com/a/363309/48498
â Nathan Basanese
May 5 '17 at 21:25
add a comment |Â
up vote
12
down vote
Not sure about Gentoo but most distros put their certificates soft-link in system-wide location at /etc/ssl/certs
.
- Key files go into
/etc/ssl/private
- System-provided actual files are located at
/usr/share/ca-certificates
- Custom certificates go into
/usr/local/share/ca-certificates
Whenever you put a certificate in one of the above mentioned paths, run update-ca-certificates
to update /etc/ssl/certs
lists.
/etc/ssl/certs
is the correct folder in gentoo. But the files are not well to read for human eyes.
â Jonas Stein
Oct 23 '13 at 15:09
2
It'supdate-ca-certificates
with an additionals
(can't edit this myself, as it's just a one-character edit).
â Slaven Rezic
Jul 17 '17 at 13:01
@SlavenRezic - Someone fixed it.
â Craig S. Anderson
Sep 13 at 23:22
add a comment |Â
up vote
12
down vote
Not sure about Gentoo but most distros put their certificates soft-link in system-wide location at /etc/ssl/certs
.
- Key files go into
/etc/ssl/private
- System-provided actual files are located at
/usr/share/ca-certificates
- Custom certificates go into
/usr/local/share/ca-certificates
Whenever you put a certificate in one of the above mentioned paths, run update-ca-certificates
to update /etc/ssl/certs
lists.
/etc/ssl/certs
is the correct folder in gentoo. But the files are not well to read for human eyes.
â Jonas Stein
Oct 23 '13 at 15:09
2
It'supdate-ca-certificates
with an additionals
(can't edit this myself, as it's just a one-character edit).
â Slaven Rezic
Jul 17 '17 at 13:01
@SlavenRezic - Someone fixed it.
â Craig S. Anderson
Sep 13 at 23:22
add a comment |Â
up vote
12
down vote
up vote
12
down vote
Not sure about Gentoo but most distros put their certificates soft-link in system-wide location at /etc/ssl/certs
.
- Key files go into
/etc/ssl/private
- System-provided actual files are located at
/usr/share/ca-certificates
- Custom certificates go into
/usr/local/share/ca-certificates
Whenever you put a certificate in one of the above mentioned paths, run update-ca-certificates
to update /etc/ssl/certs
lists.
Not sure about Gentoo but most distros put their certificates soft-link in system-wide location at /etc/ssl/certs
.
- Key files go into
/etc/ssl/private
- System-provided actual files are located at
/usr/share/ca-certificates
- Custom certificates go into
/usr/local/share/ca-certificates
Whenever you put a certificate in one of the above mentioned paths, run update-ca-certificates
to update /etc/ssl/certs
lists.
edited Jan 27 at 21:52
Sam Brightman
19316
19316
answered Oct 23 '13 at 12:45
SHW
7,75133470
7,75133470
/etc/ssl/certs
is the correct folder in gentoo. But the files are not well to read for human eyes.
â Jonas Stein
Oct 23 '13 at 15:09
2
It'supdate-ca-certificates
with an additionals
(can't edit this myself, as it's just a one-character edit).
â Slaven Rezic
Jul 17 '17 at 13:01
@SlavenRezic - Someone fixed it.
â Craig S. Anderson
Sep 13 at 23:22
add a comment |Â
/etc/ssl/certs
is the correct folder in gentoo. But the files are not well to read for human eyes.
â Jonas Stein
Oct 23 '13 at 15:09
2
It'supdate-ca-certificates
with an additionals
(can't edit this myself, as it's just a one-character edit).
â Slaven Rezic
Jul 17 '17 at 13:01
@SlavenRezic - Someone fixed it.
â Craig S. Anderson
Sep 13 at 23:22
/etc/ssl/certs
is the correct folder in gentoo. But the files are not well to read for human eyes.â Jonas Stein
Oct 23 '13 at 15:09
/etc/ssl/certs
is the correct folder in gentoo. But the files are not well to read for human eyes.â Jonas Stein
Oct 23 '13 at 15:09
2
2
It's
update-ca-certificates
with an additional s
(can't edit this myself, as it's just a one-character edit).â Slaven Rezic
Jul 17 '17 at 13:01
It's
update-ca-certificates
with an additional s
(can't edit this myself, as it's just a one-character edit).â Slaven Rezic
Jul 17 '17 at 13:01
@SlavenRezic - Someone fixed it.
â Craig S. Anderson
Sep 13 at 23:22
@SlavenRezic - Someone fixed it.
â Craig S. Anderson
Sep 13 at 23:22
add a comment |Â
up vote
0
down vote
I had a requirement to list all the certs on our server and notify if they are due to expire. We came up with this command:
locate .pem | grep ".pem$" | xargs -I openssl x509 -issuer -enddate -noout -in
New contributor
add a comment |Â
up vote
0
down vote
I had a requirement to list all the certs on our server and notify if they are due to expire. We came up with this command:
locate .pem | grep ".pem$" | xargs -I openssl x509 -issuer -enddate -noout -in
New contributor
add a comment |Â
up vote
0
down vote
up vote
0
down vote
I had a requirement to list all the certs on our server and notify if they are due to expire. We came up with this command:
locate .pem | grep ".pem$" | xargs -I openssl x509 -issuer -enddate -noout -in
New contributor
I had a requirement to list all the certs on our server and notify if they are due to expire. We came up with this command:
locate .pem | grep ".pem$" | xargs -I openssl x509 -issuer -enddate -noout -in
New contributor
New contributor
answered 9 mins ago
Dwight Emmons
1
1
New contributor
New contributor
add a comment |Â
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f97244%2flist-all-available-ssl-ca-certificates%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password