/openssl-osx-ca

Short and simple cronjob to sync OSX Keychain certs to Homebrew installed OpenSSL

Primary LanguageShell

openssl-osx-ca

A simple script intended to be run from cron(1) to sync a homebrew installed openssl CA pem with the certificates found in the OSX Keychain.

The installed CA pem file will be made available through the default X.509 store path.

Installation

  • To install via homebrew:

       brew tap raggi/ale
   brew install openssl-osx-ca

  • To install standalone:

       make install PREFIX=/opt/openssl-osx-ca

  • To set the frequency, set the value of FREQUENCY when installing, defaults to @hourly. The value of FREQUENCY must be a supported crontab time specification. e.g.

       make install FREQUENCY=@daily

Intended use cases

  • Ruby 2.0.0+
  • Other brew installed programs that rely on modern OpenSSL versions

Known limitations

  • openssl s_client does not respect the default cafile. Adding any -CApath argument (even e.g. '?'), will cause verification to work.
  • Syncs are only performed once per hour.
  • Syncs may not be sufficiently atomic. There is a small possiblity of race conditions that could cause openssl programs to fail. The sync time is very very short, so in practice this is unlikely.