[Nix-dev] Installing CA certificates

zimbatm zimbatm at zimbatm.com
Fri Feb 19 18:41:57 CET 2016 

Found this which might be useful to you:
http://mindref.blogspot.co.uk/2011/02/nssdb-add-ca-certificate.html


On Fri, 19 Feb 2016 at 17:36 zimbatm <zimbatm at zimbatm.com> wrote:

> curl should work just fine then. Can you paste the output of `curl -v
> https://yoursite.com` ?
>
> Chromium uses NSS which has another mechanism for it's PKI which I don't
> know. Can you confirm that your cert is also in
> /etc/pki/tls/certs/ca-bundle.crt ?
> Also do you have anything under ~/.pki ?
>
>
> On Fri, 19 Feb 2016 at 16:47 Adam Russell <adamlr6 at gmail.com> wrote:
>
>> The output is:
>>
>> $ echo $SSL_CERT_FILE
>> /etc/ssl/certs/ca-certificates.crt
>> $ echo $CURL_CA_BUNDLE
>>
>> $
>>
>> And yes, the certificates are in that file. Is there another step that
>> needs to happen for curl and Chromium to be able to use them?
>>
>> On Fri, Feb 19, 2016 at 9:26 AM zimbatm <zimbatm at zimbatm.com> wrote:
>>
>>> What is the output of `echo $SSL_CERT_FILE` and `echo $CURL_CA_BUNDLE` ?
>>> If one of those is set, look in the pointed file if you can find your
>>> certificate.
>>>
>>> On Fri, 19 Feb 2016 at 15:12 Adam Russell <adamlr6 at gmail.com> wrote:
>>>
>>>> Thomas, I've not used the openssl command-line tool before, and looking
>>>> at its documentation I'm not sure what command I would run in order to test
>>>> it, or what output to look for. I can tell you that curl doesn't work
>>>> against the domains in question, though (at least without the insecure
>>>> flag).
>>>>
>>>> Regardless, with or without the "comment" with the equal signs
>>>> separator, adding things to security.pki.certificates has no effect for me.
>>>> Is there a bug, or am I doing something wrong?
>>>>
>>>> On Thu, Feb 18, 2016 at 1:31 PM Thomas Hunger <tehunger at gmail.com>
>>>> wrote:
>>>>
>>>>> Hi Adam,
>>>>>
>>>>> Can you make the TLS call work with a command line tool like openssl?
>>>>> I'm not 100% sure but I think that Chrome might use a different set of
>>>>> trusted certs (based on the Mozilla ones) [1].
>>>>>
>>>>> ~
>>>>>
>>>>> [1]
>>>>> https://www.chromium.org/Home/chromium-security/root-ca-policy
>>>>>
>>>>> On 18 February 2016 at 13:53, Adam Russell <adamlr6 at gmail.com> wrote:
>>>>>
>>>>>> Hello Nix-Dev,
>>>>>>
>>>>>> I'm trying to understand how to install CA certificates in NixOS.
>>>>>>
>>>>>> If I visit my work's webmail in Chromium, I get an indicator that my
>>>>>> connection is not private. Clicking the padlock icon in the address bar,
>>>>>> then the "Certificate information" link in the Connection tab, going to the
>>>>>> "Details" tab, and clicking "Export" allows me to download a certificate.
>>>>>>
>>>>>> The text in this export is what I am supposed to put in the array in
>>>>>> `security.pki.certificates` option of `/etc/nixos/configuration.nix`,
>>>>>> correct? Am I missing something?
>>>>>>
>>>>>> The documentation I am using is at:
>>>>>> https://github.com/NixOS/nixpkgs/blob/6e6a96d42cf56cfcd042bbeab89e37f442f0cfcc/nixos/modules/security/ca.nix#L39-L45
>>>>>>
>>>>>> Does the text above the equal signs have any significance
>>>>>> ("NixOS.org" in the example), or is it just a comment?
>>>>>>
>>>>>> Thanks,
>>>>>> -Adam
>>>>>>
>>>>>> _______________________________________________
>>>>>> nix-dev mailing list
>>>>>> nix-dev at lists.science.uu.nl
>>>>>> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>>>>>>
>>>>>> _______________________________________________
>>>> nix-dev mailing list
>>>> nix-dev at lists.science.uu.nl
>>>> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>>>>
>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.science.uu.nl/pipermail/nix-dev/attachments/20160219/4419925e/attachment-0001.html

More information about the nix-dev mailing list