Oracle Solaris provides a keystore for Certificate Authority (CA) certificate files. To manage the keystore, you restart the SMF ca-certificates service after you add or remove certificates from the keystore.
X.509 certificates contain an RSA public key and the key's signer ("CN" or "Subject"). The key and signer verifies that some file or object was signed with the key holder's private key. CA certificates are issued by well-known organizations to verify that a certificate is legitimate and that the public key in the certificate can be trusted.
Oracle Solaris keeps the CA certificates in the /etc/certs/CA directory. Hashed links to the CA certificates are in the /etc/openssl/certs directory to enable fast lookup and access, typically by OpenSSL. Usually, each filename in the /etc/certs/CA directory is the certificate holder's CN with spaces replaced by underscores ("_") and appended with a .pem extension. For example, the file /etc/certs/CA/ExampleCo-_G3.pem contains the certificate for CN "ExampleCo Class 4 Public Primary Certification Authority - G3".
If you need to verify a certificate with a CA certificate that is missing, you can add the certificate manually. See How to Add a CA Certificate to the Oracle Solaris CA Keystore.
Before You Begin
You must assume the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.
Check with the issuer of the CA certificate directly.
![]() | Caution - Do not rely on verification from an entity that did not issue the CA certificate. Do not install invalid CA certificates on your system that your software would treat as trustworthy. |
Remove any text that surrounds the "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" lines. Some applications are not able to handle the extra text.
For example, display the text of a certificate by using the openssl command.
# openssl x509 -noout -text -in Example_Root_CA.pem
The output should display the issuer, owner (Subject/DN), validity dates, signature algorithm, and public key, among other information.
If it is not, use the chmod command to make the file world-readable.
# chmod a+r Example_Root_CA.pem; ls -l Example_Root_CA.pem -rw-r--r-- 1 root sys 1500 Sep 10 10:10 Example_Root_CA.pem
For example:
# cp -p Example_Root_CA.pem /etc/certs/CA/
# /usr/sbin/svcadm restart /system/ca-certificates
The service adds the certificate to the /etc/certs/ca-certificates.crt file and adds a hashed link in the /etc/openssl/certs directory.
When the service restarts, it processes your new CA certificate.
$ svcs -x ca-certificates svc:/system/ca-certificates:default (CA Certificates Service) State: online since Sun Sept 10 10:10:10 2016 See: openssl(5) See: /var/svc/log/system-ca-certificates:default.log Impact: None.
Troubleshooting
If the service hasn't started, the certificate could be corrupt or could be a duplicate of an existing CA certificate. Look for error messages in the log file listed in the svcs -x command output. Also check the /system/volatile/system-ca-certificates:default.log file.