Trustchain for Proxy with EZD

billyboy

We are planning to proxy EZD (Elektron Zero Daemon) through an F5, and I need to install a specific trust chain onto the server where EZD is running. I am trying to understand how EZD knows where to find the CA trustchain? I cannot find anything in the documentation I have.

zoya faberov

Hello @bill.harding,

Please find the response from EZD product development:

"The certificates are installed
in the default directory such as /etc/ssl/certs. I believe the EZD is
using the openSSL to access this file.

[root@ob1d-ddndrp225a certs]# ls
-ltr

total 1708

-rw-r--r--. 1 root root 978662
Dec 20 2013 ca-bundle.trust.crt

-rw-r--r--. 1 root root 757191
Dec 20 2013 ca-bundle.crt

-rwxr-xr-x. 1 root
root 829 Jan 8 2014 renew-dummy-cert

-rwxr-xr-x. 1 root
root 610 Jan 8 2014 make-dummy-cert

-rw-r--r--. 1 root
root 2242 Jan 8 2014 Makefile

[root@ob1d-ddndrp225a certs]#
pwd

/etc/ssl/certs"

billyboy

@zoya.farberov

Does this mean that the certificate would need to be appended to the existing certificates under /etc/ssl/certs (i.e. ca-bundle.trust.crt)? (We have done this, but EZD still doesn't seem to be using our certs).

I could not find any way to configure EZD to point to a specific certificate (i.e. pem).

zoya faberov

Hello @bill.harding,

Please see additional info from development team:

The current EZD release is doing some basic certificate
authentication against the default system CA store. Unfortunately, there
is essentially 0 consistency or standards for where the default system CA store
is installed for Linux. So unfortunately, this is a per-distribution(and
probably per-distro-version) operation.

Some info here:

https://www.happyassassin.net/2015/01/12/a-note-about-ssltls-trusted-certificate-stores-and-platforms/

and here(this covers redhat 6 and 7, at least):

https://www.happyassassin.net/2015/01/14/trusting-additional-cas-in-fedora-rhel-centos-dont-append-to-etcpkitlscertsca-bundle-crt-or-etcpkitlscert-pem/