https://github.com/google/certificate-transparency

Auditing for TLS certificates.
https://github.com/google/certificate-transparency

Last synced: about 2 months ago
JSON representation

Auditing for TLS certificates.

• Host: GitHub
• URL: https://github.com/google/certificate-transparency
• Owner: google
• License: apache-2.0
• Archived: true
• Created: 2014-05-20T17:03:47.000Z (almost 11 years ago)
• Default Branch: master
• Last Pushed: 2023-08-02T10:33:41.000Z (almost 2 years ago)
• Last Synced: 2025-01-07T16:07:30.403Z (4 months ago)
• Language: C++
• Homepage: https://certificate.transparency.dev
• Size: 26.6 MB
• Stars: 870
• Watchers: 102
• Forks: 281
• Open Issues: 78
• Metadata Files:
  • Readme: README-MacOS.md
  • Contributing: CONTRIBUTING.md
  • License: LICENSE

Awesome Lists containing this project

• awesome-repositories - google/certificate-transparency - Auditing for TLS certificates. (C++)

README

        
OS X Specific Instructions

==========================

Builds

------

We recommend that you use GClient to build on OSX. Please follow the

instructions in the [main readme](README.md) file.

Trusted root certificates

-------------------------

The CT code requires a set of trusted root certificates in order to:

   1. Validate outbound HTTPS connections

   2. (In the case of the log-server) decide whether to accept a certificate

      chain for inclusion.

On OSX, the system version of OpenSSL (0.9.8gz at time of writing) contains

Apple-provided patches which intercept failed chain validations and re-attempts

them using roots obtained from the system keychain. Since we use a much more

recent (and unpatched) version of OpenSSL this behaviour is unsupported and so

a PEM file containing the trusted root certs must be used.

To use a certificate PEM bundle file with the CT C++ code, the following

methods may be used.

### Incoming inclusion requests (ct-server only)

Set the `--trusted_cert_file` flag to point to the location of the PEM file

containing the set of root certificates whose chains should be accepted for

inclusion into the log.

### For verifying outbound HTTPS connections (ct-mirror)

Either set the `--trusted_roots_certs` flag, or the `SSL_CERT_FILE`

environment variable, to point to the location of the PEM file containing the

root certificates to be used to verify the outbound HTTPS connection.

Sources of trusted roots

------------------------

Obviously the choice of root certificates to trust for outbound HTTPS

connections and incoming inclusion requests are a matter of operating policy,

but it is often useful to have a set of common roots for testing and

development at the very least.

While OSX ships with a set of common trusted roots, they are not directly

available to OpenSSL and must be exported from the keychain first.  This can be

achieved with the following command:

```bash

security find-certificates -a -p /Library/Keychains/System.keychain > certs.pem

security find-certificates -a -p /System/Library/Keychains/SystemRootCertificates.keychain >> certs.pem

```