Compiling OpenSSL 1.1 - certs directory is empty, how to obtain?
Michael Wojcik
Michael.Wojcik at microfocus.com
Tue Sep 3 20:36:08 UTC 2019
> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf Of Pete Cooper
> Sent: Saturday, August 24, 2019 13:10
> The `config` and subsequent `make` complete without any visible issues shown. However,
> /etc/php/shared/openssl/certs is an empty directory.
> Are there OpenSSL compile flags to explicitly build or obtain the current up-to-date
> *.pem files for my PHP-only OpenSSL build, or should be looking elsewhere?
I haven't seen a response to this on the list.
OpenSSL does not include a collection of trusted certificates. You need to get them from some other source. You may copy them from your OS distribution, for example.
Another popular source is the Mozilla certificate collection. Adam Langley wrote a Go program that converts the Mozilla collection to PEM and excludes those marked as untrusted; you can find it at:
https://github.com/agl/extract-nss-root-certs
(And Go itself is available from https://golang.org, of course, if you don't have that installed.)
There are many opinions about what constitutes a good collection of trust anchors for various applications. Some people feel the collections provided with most OS and browser distributions are too generous, and saccrifice security for interoperability. If you're going to assemble a set of trust anchors that includes public CAs, it may be a good idea to familiarize yourself with the issues. Ivan Ristic's /Bulletproof SSL and TLS/ (available at https://feistyduck.com) has a good survey.
--
Michael Wojcik
Distinguished Engineer, Micro Focus
More information about the openssl-users
mailing list