CA Certificates at "/etc/ssl | /private/etc/ssl"

PKI Tutorials - Herong's Tutorial Examples

∟macOS Certificate Stores and Keychain Access

∟CA Certificates at "/etc/ssl | /private/etc/ssl"

This section provides a tutorial example on how to find CA certificate files used by the PHP programming engine on macOS computers.

Since Mac computers are using the Linux system as its operating system, you can run applications that are designed for the Linux system.

However, some of those applications may not be able to use certificates that are managed by keychain. The PHP programming language engine is a good example.

By default, PHP on a Mac computer uses certificates in the /etc/ssl, which is a symbolic link to /private/etc/ssl, as CA certificates.

1. Call the openssl_get_cert_locations() function in PHP to see where it is searching for CA certificates.

herong$ php -a 
php > var_dump(openssl_get_cert_locations());

array(8) {
  ["default_cert_file"]=>
  string(25) "/private/etc/ssl/cert.pem"
  ["default_cert_file_env"]=>
  string(13) "SSL_CERT_FILE"
  ["default_cert_dir"]=>
  string(22) "/private/etc/ssl/certs"
  ["default_cert_dir_env"]=>
  string(12) "SSL_CERT_DIR"
  ["default_private_dir"]=>
  string(24) "/private/etc/ssl/private"
  ["default_default_cert_area"]=>
  string(16) "/private/etc/ssl"
  ["ini_cafile"]=>
  string(0) ""
  ["ini_capath"]=>
  string(0) ""
}

2. Look at the first certificate file in the output: /private/etc/ssl/cert.pem. It was installed as part of the macOS system and never updated.

herong$ ls -l /etc/ssl/cert.pem
-rw-r--r--  1 root  wheel  227344 Feb  9  2017 /etc/ssl/cert.pem

herong$ ls -l /private/etc/ssl/cert.pem
-rw-r--r--  1 root  wheel  227344 Feb  9  2017 /private/etc/ssl/cert.pem

3. List certificates in /etc/ssl/cert.pem. There are not many certificates in the CA certificate file.

herong$ grep Issuer /etc/ssl/cert.pem

Issuer: C=US, O=GTE Corporation, OU=GTE CyberTrust Solutions, Inc., C...
Issuer: C=US, O=Equifax, OU=Equifax Secure Certificate Authority
Issuer: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certificati...
Issuer: C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA
Issuer: OU=GlobalSign Root CA - R2, O=GlobalSign, CN=GlobalSign
Issuer: OU=GlobalSign Root CA - R3, O=GlobalSign, CN=GlobalSign
Issuer: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, O...
Issuer: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, O...
Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 200...
Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 199...
Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 200...
Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 200...
Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 199...
Issuer: C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing,...
Issuer: L=ValiCert Validation Network, O=ValiCert, Inc., OU=ValiCert ...
Issuer: C=US, O=Entrust.net, OU=www.entrust.net/CPS incorp. by ref. (...
Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High A...
Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assure...
Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global...
Issuer: C=US, O=Equifax Secure Inc., CN=Equifax Secure Global eBusine...
Issuer: C=US, O=Equifax Secure Inc., CN=Equifax Secure eBusiness CA-1
Issuer: C=US, O=GeoTrust Inc., CN=GeoTrust Global CA
Issuer: C=US, O=GeoTrust Inc., CN=GeoTrust Global CA 2
Issuer: C=US, O=GeoTrust Inc., CN=GeoTrust Primary Certification Auth...
Issuer: C=US, O=GeoTrust Inc., OU=(c) 2008 GeoTrust Inc. - For author...
Issuer: C=US, O=GeoTrust Inc., CN=GeoTrust Universal CA
Issuer: C=US, O=GeoTrust Inc., CN=GeoTrust Universal CA 2
Issuer: C=US, O=The Go Daddy Group, Inc., OU=Go Daddy Class 2 Certifi...
Issuer: C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., CN=Go Da...
Issuer: C=US, O=Starfield Technologies, Inc., OU=Starfield Class 2 Ce...
Issuer: C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc...
Issuer: C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc...
Issuer: C=IL, O=StartCom Ltd., CN=StartCom Certification Authority G2
Issuer: C=US, O=thawte, Inc., OU=Certification Services Division, OU=...
Issuer: C=US, O=thawte, Inc., OU=(c) 2007 thawte, Inc. - For authoriz...
Issuer: C=US, O=thawte, Inc., OU=Certification Services Division, OU=...
Issuer: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=Add...
Issuer: C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, ...
Issuer: C=US, ST=UT, L=Salt Lake City, O=The USERTRUST Network, OU=ht...
Issuer: C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root
Issuer: C=DE, O=Deutsche Telekom AG, OU=T-TeleSec Trust Center, CN=De...
Issuer: C=DE, O=T-Systems Enterprise Services GmbH, OU=T-Systems Trus...
Issuer: C=DE, O=T-Systems Enterprise Services GmbH, OU=T-Systems Trus...
Issuer: C=CH, O=SwissSign AG, CN=SwissSign Gold CA - G2
Issuer: C=CH, O=SwissSign AG, CN=SwissSign Platinum CA - G2
Issuer: C=CH, O=SwissSign AG, CN=SwissSign Silver CA - G2
Issuer: O=Digital Signature Trust Co., CN=DST Root CA X3
Issuer: C=HU, L=Budapest, O=NetLock Kft., OU=Tan\xC3\xBAs\xC3\xADtv\x...

So if you are adding a new CA certificate in the "System Roots" Keychain, you also need to add it in /etc/ssl. Otherwise your PHP applications may fail to validate certificates signed by that CA certificate.