Basil Hendroff
Wizard
- Joined
- Jan 4, 2014
- Messages
- 1,644
Up until quite recently, the FreeBSD trust store has been in disarray. @jgreco is facilitating a discussion on the impact of this in the thread SSL certificate problem: certificate has expired -- the OpenSSL 1.0.2 vs LetsEncrypt issue. The FreeBSD bug report #160387 - security/ca_root_nss: Allow user to trust extra local certificates shows how pervasive the issue is. That report was open for nine years and the outcome was unsatisfactory.
A consequence of the lack of a unified trust store is that application developers who rely on the trust store have shied away from fully embracing the FreeBSD platform for their application, that is until now. Under FreeBSD 12.2, certctl is the new certificate manager for FreeBSD. It makes it straightforward to add additional root certificates to a unified trust store.
Web public key infrastructure (PKI) is well understood; internal PKI is gaining traction. In the latter case, adding the root certificate of a local certificate authority (CA) to the trust store is an essential requirement. Solutions to date use a platform other than FreeBSD to work around the problem. For example, @danb35 has built a local CA using a Raspberry Pi running the Debian-based Pi OS. Refer to the thread TLS certificates from a local certificate authority for details.
I've been liaising with Caddy and SmallStep developers over the last six months or so on the FreeBSD trust store issue. They are now at a point they can do something about it, at least for FreeBSD 12.2 and newer versions (read TrueNAS, not FreeNAS). I've come up with the high-level pseudocode that's required, however, being more of a troubleshooter than a developer, I'm unable to go the last mile with them. Are there any Go developers with FreeBSD experience in the TrueNAS community or within iXsystems who can contribute some of their time to help wrap this up? If you can, please head over to the SmallStep issue thread Not compatible with FreeBSD and use your expertise to bring some closure to this issue. Caddy utilises SmallStep libraries so the benefits of a solution here will eventually flow on to Caddy.
A consequence of the lack of a unified trust store is that application developers who rely on the trust store have shied away from fully embracing the FreeBSD platform for their application, that is until now. Under FreeBSD 12.2, certctl is the new certificate manager for FreeBSD. It makes it straightforward to add additional root certificates to a unified trust store.
Web public key infrastructure (PKI) is well understood; internal PKI is gaining traction. In the latter case, adding the root certificate of a local certificate authority (CA) to the trust store is an essential requirement. Solutions to date use a platform other than FreeBSD to work around the problem. For example, @danb35 has built a local CA using a Raspberry Pi running the Debian-based Pi OS. Refer to the thread TLS certificates from a local certificate authority for details.
I've been liaising with Caddy and SmallStep developers over the last six months or so on the FreeBSD trust store issue. They are now at a point they can do something about it, at least for FreeBSD 12.2 and newer versions (read TrueNAS, not FreeNAS). I've come up with the high-level pseudocode that's required, however, being more of a troubleshooter than a developer, I'm unable to go the last mile with them. Are there any Go developers with FreeBSD experience in the TrueNAS community or within iXsystems who can contribute some of their time to help wrap this up? If you can, please head over to the SmallStep issue thread Not compatible with FreeBSD and use your expertise to bring some closure to this issue. Caddy utilises SmallStep libraries so the benefits of a solution here will eventually flow on to Caddy.
Last edited: