From 3d95aff31e1e477baf2346bb58d72f348da35ea9 Mon Sep 17 00:00:00 2001 From: Thomas Sibley Date: Mon, 21 Oct 2024 14:25:04 -0700 Subject: [PATCH] reference/ca-certificates: Note that running c_rehash on SSL_CERT_DIR is required This is an important detail that someone generally unfamiliar with these configurations would easily miss and then wonder why their certs weren't being picked up. The requirement applies not just to applications using OpenSSL, but often also to applications that use other TLS libraries and support SSL_CERT_DIR for compatibility. --- src/reference/ca-certificates.rst | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/reference/ca-certificates.rst b/src/reference/ca-certificates.rst index 086e37e..9303daf 100644 --- a/src/reference/ca-certificates.rst +++ b/src/reference/ca-certificates.rst @@ -68,7 +68,8 @@ OpenSSL is the most common library used to provide TLS/SSL support in application software. Its `default locations of trusted CA certificates `__ can be overridden by setting the ``SSL_CERT_FILE`` and/or ``SSL_CERT_DIR`` environment -variables. +variables. Filenames in the latter must be hashed with OpenSSL's ``c_rehash`` +utility. Its final trust store is built from certificates in all default locations, so to *comprehensively* override the defaults, all locations must be overridden.