#35474: RFE: Have curl-ca-bundle install individual .pem files in ${prefix}/etc/openssl/certs -----------------------------+----------------------- Reporter: landonf@… | Owner: landonf@… Type: enhancement | Status: new Priority: Normal | Milestone: Component: ports | Version: Resolution: | Keywords: Port: curl-ca-bundle | -----------------------------+----------------------- Comment (by landonf@…): I finally had time to look at this; it turned out to be pretty easy (well, the non-Java part, anyway). See the attached certsync.m; it exports anchor certificates from the system keychain. To compile: {{{ clang -mmacosx-version-min=10.6 certsync.m -o certsync -framework Foundation -framework Security -fobjc-arc }}} Example usage: {{{ ./certsync -o /opt/local/etc/openssl/cert.pem (this overwrites the curl- ca-bundle symlink) }}} This will write out all OS-included CA certs, as well as any CA certs that have been installed system-wide by the user -- this ought to make life a *lot* easier for anyone that works for a company that manages internal private CAs. I'm open to suggestions on how best to integrate this into MacPorts; ideally it would be run automatically at activate-time, along with a user- executable script to update the certificates (or via cron, or via monitoring the keychain, or ...). Since curl is configured with a non-standard certificate path, the above certsync command won't affect it. You can test with curl by overwriting the actual path curl is configured with: {{{ ./certsync -o /opt/local/etc/openssl/cert.pem (this overwrites the curl- ca-bundle symlink) }}} Short of patching curl to use SSL_CTX_set_default_verify_paths(), we should probably change the curl port to use: {{{ --with-ca-bundle=${prefix}/etc/openssl/cert.pem }}} -- Ticket URL: <https://trac.macports.org/ticket/35474#comment:9> MacPorts <http://www.macports.org/> Ports system for OS X