# [Solved] Help with Trust Certificates

## gfaccin

Hi all,

In my workplace I work basically under the surveillance of The Big Brother.   :Crying or Very sad: 

Everyone uses Windows and is required to install network certificates, named SonicWall_DPI-SSL_CA.cer and dpi-ssl-2048-sha2.cer, from SonicWall Inc.

I'm the only one using Gentoo because I don't want Windows. I need to be free to work (really, not doing anything wrong, just need my apps and linux programming environment).

I've installed those pesky certificates in Firefox in order to access the web.

My problem is with portage: whenever I try to install software that is downloaded by portage using wget, errors like this happen:

```

arara gfaccin # layman -L

 * Fetching remote list...

 * Warning: an installed db file was not found at: ['/var/lib/layman/cache_930c3ed4a5f89f74fd810585751a06e3.xml']

 * Connector.connect_url(); Failed to update the mirror list from: https://api.gentoo.org/overlays/repositories.xml

 * SSLError was:[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:600)

```

I know that I can install certificates in /usr/local/share/ca-certificates. However, that location takes certificates in a different format than the .cer files that I've got, and I don't know how to convert them from the Windows .cer format to a linux compatible one.

I've also tried to customize the wget command used by emerge in order to ignore certificates; something like this in /etc/portage/make.conf:

```

FETCHCOMMAND="/usr/bin/wget --no-check-certificate \${URI} -P \${DISTDIR}/\${FILE}"

RESUMECOMMAND="/usr/bin/wget -c --no-check-certificate \${URI} -P \${DISTDIR}/\${FILE}"

```

However that fails because the file download by emerge is saved as a directory. It would be fixed, it appears, by removing the \${FILE} in the command, but emerge does not accept that possibility.

Can anyone please guide me in order to have emerge and layman working in a network that requires these certificates?

Thank you!Last edited by gfaccin on Wed Jul 05, 2017 9:33 pm; edited 1 time in total

----------

## wolvie

if you need to convert the certificates format this should do the trick:

```
openssl x509 -inform der -in certificate.cer -out certificate.pem
```

----------

## gfaccin

Thanks for the reply wolvie!

I tried to convert the certificates here at home (will be able to test definitively at work next Monday). One of the certificates converted out of the box.

The other one returned an error:

```

gfaccin@piranha ~/ufgd/VPN $ openssl x509 -inform der -in SonicWall_DPI-SSL_CA.cer -out SonicWall_DPI-SSL_CA.pem

unable to load certificate

139964553229976:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1199:

139964553229976:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:374:Type=X509

```

Would you have any guidance on this one? Thanks!

----------

## wolvie

hmmm.. seems the second one isn't in DER format.

try to read the certificate info with openssl with

```
openssl x509 -in  SonicWall_DPI-SSL_CA.cer -text -noout
```

----------

## gfaccin

 *wolvie wrote:*   

> hmmm.. seems the second one isn't in DER format.
> 
> try to read the certificate info with openssl with
> 
> ```
> ...

 

Here's the output:

```

gfaccin@piranha ~/ufgd/VPN $ openssl x509 -in  SonicWall_DPI-SSL_CA.cer -text -noout

Certificate:

    Data:

        Version: 3 (0x2)

        Serial Number:

            c0:a8:73:0e:ce:72:9d:bf

    Signature Algorithm: sha1WithRSAEncryption

        Issuer: C=US, ST=CA, O=SonicWALL Inc., CN=SonicWALL Firewall DPI-SSL

        Validity

            Not Before: Mar  9 21:39:20 2009 GMT

            Not After : Mar  4 21:39:20 2029 GMT

        Subject: C=US, ST=CA, O=SonicWALL Inc., CN=SonicWALL Firewall DPI-SSL

        Subject Public Key Info:

            Public Key Algorithm: rsaEncryption

                Public-Key: (1024 bit)

                Modulus:

                    00:cf:52:af:45:62:33:d5:1f:40:33:c4:d7:5d:74:

                    bd:0a:59:91:b0:4c:25:d5:16:4c:67:28:9b:1f:25:

                    93:ff:23:7b:7f:0e:f8:68:eb:4b:5c:c4:6f:0c:3b:

                    24:9f:46:10:cf:0f:62:73:f1:37:da:40:98:28:6d:

                    48:dc:b9:6e:f8:90:74:da:97:7c:03:21:4b:14:47:

                    20:28:38:94:57:2c:6b:de:5b:ce:84:66:d5:4c:c3:

                    d3:d8:d7:aa:c2:50:3b:c0:51:e9:b9:8b:13:e5:d9:

                    62:70:3f:40:5f:96:ed:a8:a7:e7:cf:56:90:24:b7:

                    11:1f:60:a6:dc:2e:c3:af:37

                Exponent: 65537 (0x10001)

        X509v3 extensions:

            X509v3 Subject Key Identifier: 

                57:40:CF:79:DA:79:91:21:46:95:20:E0:C7:C3:D8:38:3D:DE:79:A8

            X509v3 Authority Key Identifier: 

                keyid:57:40:CF:79:DA:79:91:21:46:95:20:E0:C7:C3:D8:38:3D:DE:79:A8

                DirName:/C=US/ST=CA/O=SonicWALL Inc./CN=SonicWALL Firewall DPI-SSL

                serial:C0:A8:73:0E:CE:72:9D:BF

            X509v3 Basic Constraints: 

                CA:TRUE

    Signature Algorithm: sha1WithRSAEncryption

         a6:92:04:62:1f:c0:35:af:a8:a7:d2:ed:e2:02:a1:41:ba:23:

         43:76:4a:9e:7d:53:99:01:42:c4:a6:5c:74:d3:f9:04:4d:1e:

         66:dc:83:ae:ac:6f:a9:2a:59:f8:4a:63:69:95:98:31:03:af:

         e5:76:bf:b0:3e:05:d0:0f:bd:a6:6d:75:07:0c:b2:1a:49:ea:

         e7:8c:c8:4d:0b:53:31:85:51:a2:5d:31:8b:c9:82:f6:50:bb:

         f9:da:69:3c:10:8c:d8:43:19:3b:0d:67:cb:26:a0:ae:53:26:

         79:f7:eb:29:91:0b:b8:d2:e4:d9:5f:5e:03:73:fb:8c:d7:8d:

         9b:26

gfaccin@piranha ~/ufgd/VPN $ 

```

----------

## wolvie

looks like the certificate is already in PEM format, no need to convert, it might have some garbage before the

```
-----BEGIN CERTIFICATE-----
```

if it does not get accepted try to make a copy of it and remove anything before that line and try again  :Smile: 

----------

## gfaccin

I'll try just renaming it. 

The contents of the file, as shown in a text editor, are these:

```

-----BEGIN CERTIFICATE-----

MIIC6zCCAlSgAwIBAgIJAMCocw7Ocp2/MA0GCSqGSIb3DQEBBQUAMFgxCzAJBgNV

BAYTAlVTMQswCQYDVQQIEwJDQTEXMBUGA1UEChMOU29uaWNXQUxMIEluYy4xIzAh

BgNVBAMTGlNvbmljV0FMTCBGaXJld2FsbCBEUEktU1NMMB4XDTA5MDMwOTIxMzky

MFoXDTI5MDMwNDIxMzkyMFowWDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRcw

FQYDVQQKEw5Tb25pY1dBTEwgSW5jLjEjMCEGA1UEAxMaU29uaWNXQUxMIEZpcmV3

YWxsIERQSS1TU0wwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAM9Sr0ViM9Uf

QDPE1110vQpZkbBMJdUWTGcomx8lk/8je38O+GjrS1zEbww7JJ9GEM8PYnPxN9pA

mChtSNy5bviQdNqXfAMhSxRHICg4lFcsa95bzoRm1UzD09jXqsJQO8BR6bmLE+XZ

YnA/QF+W7ain589WkCS3ER9gptwuw683AgMBAAGjgbwwgbkwHQYDVR0OBBYEFFdA

z3naeZEhRpUg4MfD2Dg93nmoMIGJBgNVHSMEgYEwf4AUV0DPedp5kSFGlSDgx8PY

OD3eeaihXKRaMFgxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEXMBUGA1UEChMO

U29uaWNXQUxMIEluYy4xIzAhBgNVBAMTGlNvbmljV0FMTCBGaXJld2FsbCBEUEkt

U1NMggkAwKhzDs5ynb8wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQCm

kgRiH8A1r6in0u3iAqFBuiNDdkqefVOZAULEplx00/kETR5m3IOurG+pKln4SmNp

lZgxA6/ldr+wPgXQD72mbXUHDLIaSernjMhNC1MxhVGiXTGLyYL2ULv52mk8EIzY

Qxk7DWfLJqCuUyZ59+spkQu40uTZX14Dc/uM142bJg==

-----END CERTIFICATE-----

```

So there's no garbage.

Now one question: will wget automatically accept these certificates once they are in the certificates folder?

----------

## Ant P.

Put the PEM files in /usr/local/share/ca-certificates and then run update-ca-certificates.

----------

## wolvie

just drop the files on 

```
/usr/local/share/ca-certificates/
```

you can (should) create a directory inside it to keep certs organized and them run

```
update-ca-certificates
```

or

```
emerge app-misc/ca-certificates
```

----------

## gfaccin

I'm at work now and it seens that the situation is fixed! Thank you all! 

Changing the post topic to Solved.

----------

