I recently stumbled across a problem with Mac OS X Leopard’s “svn” (Subversion) client which doesn’t know about common root CAs (such as Thawte in my case,) even tho they are in the system keychain (which you can view using “Keychain Access.”)
It turned out that it only uses the certificates it find in /System/Library/OpenSSL/certs
.
The strange thing is that the Thawte certificate in fact is already present on Mac OS, but it’s inside /usr/share/curl/curl-ca-bundle.crt
, which svn doesn’t know about. So what I did to make it work is the following:
I extracted the certificate from /usr/share/curl/curl-ca-bundle.crt
and copied it to /tmp/thawte.pem
. I then determined the hash of the certificate as follows and created a link to the original certificate bundle (as superuser!):
#openssl x509 -in /tmp/thawte.pem -noout -hash ddc328ff #ln -s /usr/share/curl/curl-ca-bundle.crt /System/Library/OpenSSL/certs/ddc328ff.0
Voilà! Now I could connect to our Subversion repository without receiving a warning like the following:
Error validating server certificate for 'https://our.repos.de:443': - The certificate is not issued by a trusted authority. Use the fingerprint to validate the certificate manually!