Hello,
I have the following problem. I would like to use update-ca-bundles command to generate certificate bundles on AIX with our local CAs. But I can't find the source of these certificates that go to the bundle. From what I read, in Linux these are /etc/pki/ca-trust/ and /usr/share/pki/ca-trust-source/ but in AIX where should I place the CA certificate files with local CAs. I tried in /var/ssl/certs but after executing updating-ca-bundles they do not go to the bundles.

Regards,
Kamil

Hello Kamil,

off the head:

• you copy your private PKI certificates into /var/ssl/certs
• for each certificate:
  • you execute openssl x509 -hash -noout -in <your_certificate>
  • ln -s <your_certificate> <hash_you've_got>.0

I know it is not 100% the same what update-ca-bundles does, but it worked for me last time.

I hope it helps.

Hello,
I have the following problem. I would like to use update-ca-bundles command to generate certificate bundles on AIX with our local CAs. But I can't find the source of these certificates that go to the bundle. From what I read, in Linux these are /etc/pki/ca-trust/ and /usr/share/pki/ca-trust-source/ but in AIX where should I place the CA certificate files with local CAs. I tried in /var/ssl/certs but after executing updating-ca-bundles they do not go to the bundles.

Regards,
Kamil

Hello Andrey,
Thanks for the answer , but that's not exactly what we want.
Update-ca-bundles is actually a script using the trust command which generates a bundle of certificates for applications other than system ones (java. emails etc.). We wanted to use this functionality to create a CA bundles for the applications we use in our environment, such as chefdk or ruby gems etc. But the problem is that I don't know where the source of these certificates managed by the trust/update-ca-bundles command is. I am looking for this because, in addition to global CA certificates, I would also like to include our organization's CA certificates there.

content of the update-ca-bundles script
$ cat /opt/freeware/bin/update-ca-bundles
#!/bin/sh

DEST=/opt/freeware/etc/ssl/certs/extracted

# Prevent p11-kit from reading user configuration files.
export P11_KIT_NO_USER_CONFIG=1

# Avoid using the RPM version of libintl - /usr/opt/rpm/lib/libintl.a
/usr/sbin/slibclean
export LIBPATH=/opt/freeware/lib:/usr/lib:/lib

# OpenSSL PEM format bundle includes certificates with trust flag, i.e.
# (BEGIN TRUSTED CERTIFICATE)
/opt/freeware/bin/trust extract --format=openssl-bundle --filter=certificates --overwrite --comment $DEST/openssl/ca-bundle.trust.crt

# TLS, email and signature PEM format bundles
/opt/freeware/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose server-auth $DEST/pem/tls-ca-bundle.pem
/opt/freeware/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose email $DEST/pem/email-ca-bundle.pem
/opt/freeware/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose code-signing $DEST/pem/objsign-ca-bundle.pem

# Java format bundle
/opt/freeware/bin/trust extract --format=java-cacerts --filter=ca-anchors --overwrite --purpose server-auth $DEST/java/cacerts

# Create links
# /opt/freeware/etc/ssl/certs/ca-bundle.crt can be used by older software, like GO.
# Do not change it as far as possible.
ln -sf $DEST/pem/tls-ca-bundle.pem              /opt/freeware/etc/ssl/certs/ca-bundle.crt
ln -sf $DEST/openssl/ca-bundle.trust.crt        /opt/freeware/etc/ssl/certs/ca-bundle.trust.crt
ln -sf /opt/freeware/etc/ssl/certs/ca-bundle.crt /var/ssl/cert.pem
ln -sf /var/ssl/cert.pem                         /var/ssl/64/cert.pem
ln -sf /opt/freeware/etc/ssl/certs/*.crt /var/ssl/certs/

Hello Kamil,

off the head:

• you copy your private PKI certificates into /var/ssl/certs
• for each certificate:
  • you execute openssl x509 -hash -noout -in <your_certificate>
  • ln -s <your_certificate> <hash_you've_got>.0

I know it is not 100% the same what update-ca-bundles does, but it worked for me last time.

I hope it helps.

Hello,
I have the following problem. I would like to use update-ca-bundles command to generate certificate bundles on AIX with our local CAs. But I can't find the source of these certificates that go to the bundle. From what I read, in Linux these are /etc/pki/ca-trust/ and /usr/share/pki/ca-trust-source/ but in AIX where should I place the CA certificate files with local CAs. I tried in /var/ssl/certs but after executing updating-ca-bundles they do not go to the bundles.

Regards,
Kamil

Hi Kamil,

the sources for certificates are /var/ssl/certs and /opt/freeware/etc/ssl/certs which are usually links - see the last lines of the script.

Hello Andrey,
Thanks for the answer , but that's not exactly what we want.
Update-ca-bundles is actually a script using the trust command which generates a bundle of certificates for applications other than system ones (java. emails etc.). We wanted to use this functionality to create a CA bundles for the applications we use in our environment, such as chefdk or ruby gems etc. But the problem is that I don't know where the source of these certificates managed by the trust/update-ca-bundles command is. I am looking for this because, in addition to global CA certificates, I would also like to include our organization's CA certificates there.

content of the update-ca-bundles script
$ cat /opt/freeware/bin/update-ca-bundles
#!/bin/sh

DEST=/opt/freeware/etc/ssl/certs/extracted

# Prevent p11-kit from reading user configuration files.
export P11_KIT_NO_USER_CONFIG=1

# Avoid using the RPM version of libintl - /usr/opt/rpm/lib/libintl.a
/usr/sbin/slibclean
export LIBPATH=/opt/freeware/lib:/usr/lib:/lib

# OpenSSL PEM format bundle includes certificates with trust flag, i.e.
# (BEGIN TRUSTED CERTIFICATE)
/opt/freeware/bin/trust extract --format=openssl-bundle --filter=certificates --overwrite --comment $DEST/openssl/ca-bundle.trust.crt

# TLS, email and signature PEM format bundles
/opt/freeware/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose server-auth $DEST/pem/tls-ca-bundle.pem
/opt/freeware/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose email $DEST/pem/email-ca-bundle.pem
/opt/freeware/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose code-signing $DEST/pem/objsign-ca-bundle.pem

# Java format bundle
/opt/freeware/bin/trust extract --format=java-cacerts --filter=ca-anchors --overwrite --purpose server-auth $DEST/java/cacerts

# Create links
# /opt/freeware/etc/ssl/certs/ca-bundle.crt can be used by older software, like GO.
# Do not change it as far as possible.
ln -sf $DEST/pem/tls-ca-bundle.pem              /opt/freeware/etc/ssl/certs/ca-bundle.crt
ln -sf $DEST/openssl/ca-bundle.trust.crt        /opt/freeware/etc/ssl/certs/ca-bundle.trust.crt
ln -sf /opt/freeware/etc/ssl/certs/ca-bundle.crt /var/ssl/cert.pem
ln -sf /var/ssl/cert.pem                         /var/ssl/64/cert.pem
ln -sf /opt/freeware/etc/ssl/certs/*.crt /var/ssl/certs/

Hello Kamil,

off the head:

• you copy your private PKI certificates into /var/ssl/certs
• for each certificate:
  • you execute openssl x509 -hash -noout -in <your_certificate>
  • ln -s <your_certificate> <hash_you've_got>.0

I know it is not 100% the same what update-ca-bundles does, but it worked for me last time.

I hope it helps.

Hello,
I have the following problem. I would like to use update-ca-bundles command to generate certificate bundles on AIX with our local CAs. But I can't find the source of these certificates that go to the bundle. From what I read, in Linux these are /etc/pki/ca-trust/ and /usr/share/pki/ca-trust-source/ but in AIX where should I place the CA certificate files with local CAs. I tried in /var/ssl/certs but after executing updating-ca-bundles they do not go to the bundles.

Regards,
Kamil