# SSL / TLS certificate



## dan75 (Oct 3, 2022)

Hello.

I am very new to freeBSD. And not a native English speaker. My apologies.
I have used Linux, a bit more, so I am a bit familiar with "unix like" commands.

I am running VMs on a network with an outbound https proxy. This proxy requires root certificate configuration within the VMs in order to https connections to wrk correctly. I followed a Linux procedure for a Debian VM to make outbound https traffic to work. My company does not provide an equivalent freeBSD procedure. But I need to also configure a freeBSD VM.

Could someone help me find the equivalent directories and commands to configure and activate a root certificate on a freeBSD 13.0 system?

_Copy both root and intermediate certificates as individual files in PEM format in to the location, /usr/local/share/ca-certificates/_
_Update the CA store using the following command:_
_  cp IS_INFRA_ROOT_CRT.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates _

What is the equivalent freeBSD certificate directory to : /usr/local/share/ca-certificates/
Is it :  /usr/local/etc/ssl/   ?

What is the equivalent freeBSD command to: _update-ca-certificates_

Thank you for your help.


----------



## scottro (Oct 3, 2022)

Would it be /usr/local/share/certs?  I see that when installs the ca_root_nss pkg, that is one of the files created.
Hopefully someone with more knowledge will confirm or correct this.


----------



## jbo (Oct 3, 2022)

Hello & Welcome to this FreeBSD community!



dan75 said:


> What is the equivalent freeBSD certificate directory to : /usr/local/share/ca-certificates/
> Is it : /usr/local/etc/ssl/ ?


Personally, I keep mine under /usr/local/etc/ssl/certs.
I seem to faintly recall from a PR a few years ago that somebody indicated that this is the more appropriate location but my memory fails me on this one.



dan75 said:


> What is the equivalent freeBSD command to: _update-ca-certificates_


As far as I know FreeBSD doesn't provide a centralized (root) certificate manager.
Usually the utility in question would provide to either persistently register or temporarily adding a new CA. eg. `openssh rehash` in case of OpenSSH.
Check your proxy's documentation for a corresponding CLI or config file option.


----------



## Matlib (Oct 3, 2022)

Have you tried that?


----------



## W.hâ/t (Oct 4, 2022)

I am not sure if I understand correctly but you can look at security/ca_root_nss

```
[what@home]~> pkg info -l ca_root_nss
ca_root_nss-3.83:
        /etc/ssl/cert.pem
        /usr/local/etc/ssl/cert.pem
        /usr/local/etc/ssl/cert.pem.sample
        /usr/local/openssl/cert.pem
        /usr/local/openssl/cert.pem.sample
        /usr/local/share/certs/ca-root-nss.crt
        /usr/local/share/licenses/ca_root_nss-3.83/LICENSE
        /usr/local/share/licenses/ca_root_nss-3.83/MPL20
        /usr/local/share/licenses/ca_root_nss-3.83/catalog.mk
```


----------

