Recently one of my machines was put behind a proxy meaning some programs I had working no longer do.
When i try to do "openssl s_client -showcerts -connect remoteserver:remoteport" it presents me with a lovely "Verify return code: 20 (unable to get local issuer certificate)", I take it that is because the intermediate (proxy) certificate is not recognized.
If my assumption is correct i believe i have to install the root certificate of the proxy in order to have my programs to work again.
I was given a .cer file which i transformed to a pem file as follows:
openssl x509 -inform der -in certificate.cer -out certificate.pem
I then went on to get the hash of the pem (as suggested here https://stackoverflow.com/questions/12041512/openssl-unable-to-get-local-issuer-certificate-unless-cafile-is-explicitly-speci):
openssl x509 -issuer_hash -noout -in certificate.pem
this gave me a string (e.g: a8a87a6a).
I then went and copied the pem file, renamed as a8a87a6a to /etc/pki/tls/certs however i still get the same "Verify return code: 20 (unable to get local issuer certificate)" even when running with "-CApath /etc/pki/tls/certs/" .
I also tried renaming the file to have the extensions .pem .crt .cer to no avail.
Quite frustrated on this, how can i get this certificate to be recognized as legit and get my stuff working again?
In CentOS 5 trusted certificates are located in /etc/pki/tls/certs/ca-bundle.crt. Simply append your new trusted cert to this file.
This is answer to your question how to add new cert. But propably this will not resolve your problem. It's highly possibly that your proxy cert (CN name) will not match you service CN.