Installing TLS / SSL ROOT Certificates to non-standard environments

mryan · August 26, 2020, 8:24am

It’s probably easier to start from first principals on where openssl is run from

mryan@imac-2 ~ % which openssl
/usr/bin/openssl

Check the version details, which will return where openssl is reading it’s configuration and certificates from.

mryan@imac-2 ~ % openssl version -a
LibreSSL 2.8.3
built on: date not available
platform: information not available
options:  bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx)
compiler: information not available
OPENSSLDIR: "/private/etc/ssl"

Now copy the Zscaler certificate (or custom certificate) to the Openssl certificate chain in that directory

sudo cat ZscalerRootCertificate-2048-SHA256.crt >> /private/etc/ssl/cert.pem

Which should render the content correctly and check to the root.

mryan@imac-2 ~ % openssl s_client -connect www.mimecast.com:443 | more
depth=3 DC = net, DC = welshgeek, CN = WelshGeek-DC1-CA
verify return:1
depth=2 C = GB, ST = Wales, L = Cardiff, O = Welshgeek, OU = Network Security, CN = Welshgeek Intermediate
verify return:1
depth=1 C = GB, L = Cardiff, ST = Wales, O = Welshgeek, OU = Network Security, CN = "Welshgeek Intermediate (t) "
verify return:1
depth=0 C = GB, L = London, O = Mimecast Services Limited, OU = Techops, CN = mimecast.com
verify return:1
CONNECTED(00000006)
---
Certificate chain
 0 s:/C=GB/L=London/O=Mimecast Services Limited/OU=Techops/CN=mimecast.com
   i:/C=GB/L=Cardiff/ST=Wales/O=Welshgeek/OU=Network Security/CN=Welshgeek Intermediate (t)
 1 s:/C=GB/L=Cardiff/ST=Wales/O=Welshgeek/OU=Network Security/CN=Welshgeek Intermediate (t)
   i:/C=GB/ST=Wales/L=Cardiff/O=Welshgeek/OU=Network Security/CN=Welshgeek Intermediate
 2 s:/C=GB/ST=Wales/L=Cardiff/O=Welshgeek/OU=Network Security/CN=Welshgeek Intermediate
   i:/DC=net/DC=welshgeek/CN=WelshGeek-DC1-CA
---
Server certificate

ramesh.yadav · September 7, 2020, 7:56am

Any Suggestion for Microsoft Visual Studio ?

mryan · September 7, 2020, 8:06am

This should take it straight from the computer certificate store.

anonvenus · September 23, 2020, 11:07am

@mryan @dcreedy
Please let me know whether Zscaler certificate will supoort iOS Simulator.

Thanks,’
Anon

lpergament · December 3, 2020, 3:45pm

We have add more configuration guides for custom truststores on this help site article:

Please let us know if there are any comments or further examples that you’d like to see added.

FirstVoid · February 22, 2021, 11:14am

Hello All,

Just some points to note with GIT, curl and Zscaler.

Git uses the underlying curl library for downloading. Due to enforcement of the RFC Zscaler is not compatible with the GNU ssl library and in some cases the Schannel library. It is recommended to always use the openssl library instead.

On Linux e.g. Ubuntu:

You may see an error like:

error: RPC failed; curl 56 GnuTLS recv error (-110): The TLS connection was non-properly terminated.

A good way to rebuild curl is here: https://github.com/paul-nelson-baker/git-openssl-shellscript/blob/master/compile-git-with-openssl.sh

For windows

You may see an error like: error: RPC failed; curl 56 Failure when receiving data from the peer

Sometimes the repository will download, other times such as on larger repositories you may get an issue.

When installing git or curl simply choose the openssl version and import your certificate into the cabundle as per the other guides here.

You may in some cases need to configure git with the global:
git config --global http.sslBackend openssl

If you debug git you will see
(missing close_notify) in the logs.