Usually SSL certificates are installed system-wide (e.g. in /etc/ssl/certs
). Is it possible to configure OpenSSL in a way that allows user to put certificates in their home directory (for example in ~/.ssl/certs
)?
A use-case could be a user that needs to access services with a self-signed certificate (generated by him, thus trusted); having the self-signed CA installed system wide would be wrong because the other users shouldn't trust that CA.
If you mean applications using OpenSSL library for SSL, each application can either specify the (concatenated) file and/or (hash-linked) directory to be used for trusted certs, or it can invoke OpenSSL's defaults, or it could offer the choice. In the first case, you need to (be able and) configure the app what to specify. For example, in curl use
--cacert
and/or--capath
per http://curl.haxx.se/docs/manpage.html . In the second case, the compiled-in OpenSSL defaults, which are system and possibly build dependent, can be overridden by environment variablesSSL_CERT_FILE
andSSL_CERT_DIR
respectively.If you mean applications using OpenSSL library for other things (that use certs) like CMS/SMIME, OpenSSL has a less simple API; basically the application must directly build up an
X509_STORE
to be used for validation, although I think it can still invoke the same defaults.If you mean the commandline program
openssl
the picture is a little more complicated. Some utilities (subcommands) don't use truststore (or even certs at all); those that do have options to specify one usually-CAfile
and-CApath
; see the man pages fors_client
,verify
,ocsp
etc as applicable. However, the logic that is supposed to use the defaults if you don't specify the options has long been coded inconsistently; there was discussion on the support list a few months ago and I believe a fix has (finally) been agreed, but as of 1.0.1j 15 Oct 2014 it isn't released.