https://github.com/google/certificate-transparency
Auditing for TLS certificates.
https://github.com/google/certificate-transparency
Last synced: about 2 months ago
JSON representation
Auditing for TLS certificates.
- Host: GitHub
- URL: https://github.com/google/certificate-transparency
- Owner: google
- License: apache-2.0
- Archived: true
- Created: 2014-05-20T17:03:47.000Z (almost 11 years ago)
- Default Branch: master
- Last Pushed: 2023-08-02T10:33:41.000Z (almost 2 years ago)
- Last Synced: 2025-01-07T16:07:30.403Z (4 months ago)
- Language: C++
- Homepage: https://certificate.transparency.dev
- Size: 26.6 MB
- Stars: 870
- Watchers: 102
- Forks: 281
- Open Issues: 78
-
Metadata Files:
- Readme: README-MacOS.md
- Contributing: CONTRIBUTING.md
- License: LICENSE
Awesome Lists containing this project
- awesome-repositories - google/certificate-transparency - Auditing for TLS certificates. (C++)
README
OS X Specific Instructions
==========================Builds
------We recommend that you use GClient to build on OSX. Please follow the
instructions in the [main readme](README.md) file.Trusted root certificates
-------------------------The CT code requires a set of trusted root certificates in order to:
1. Validate outbound HTTPS connections
2. (In the case of the log-server) decide whether to accept a certificate
chain for inclusion.On OSX, the system version of OpenSSL (0.9.8gz at time of writing) contains
Apple-provided patches which intercept failed chain validations and re-attempts
them using roots obtained from the system keychain. Since we use a much more
recent (and unpatched) version of OpenSSL this behaviour is unsupported and so
a PEM file containing the trusted root certs must be used.To use a certificate PEM bundle file with the CT C++ code, the following
methods may be used.### Incoming inclusion requests (ct-server only)
Set the `--trusted_cert_file` flag to point to the location of the PEM file
containing the set of root certificates whose chains should be accepted for
inclusion into the log.### For verifying outbound HTTPS connections (ct-mirror)
Either set the `--trusted_roots_certs` flag, or the `SSL_CERT_FILE`
environment variable, to point to the location of the PEM file containing the
root certificates to be used to verify the outbound HTTPS connection.Sources of trusted roots
------------------------Obviously the choice of root certificates to trust for outbound HTTPS
connections and incoming inclusion requests are a matter of operating policy,
but it is often useful to have a set of common roots for testing and
development at the very least.While OSX ships with a set of common trusted roots, they are not directly
available to OpenSSL and must be exported from the keychain first. This can be
achieved with the following command:```bash
security find-certificates -a -p /Library/Keychains/System.keychain > certs.pem
security find-certificates -a -p /System/Library/Keychains/SystemRootCertificates.keychain >> certs.pem
```