A custom Certificate Authority (CA) certificate is used to sign other certificates. The system determines whether a key and certificate are valid by verifying that the CA referenced on a certificate has a corresponding CA certificate in /etc/certs/CA.
See Creating a Self-Signed Server Certificate Authority in Copying and Creating Package Repositories in Oracle Solaris 11.3 for a description of creating and testing your own CA certificate.
See Configure Image and Publisher Properties for a description of the trust-anchor-directory image property.
Put the CA certificates directly in the directory named by trust-anchor-directory. Do not put the certificates in another subdirectory.
Do not put a CA certificate in the directory that is a duplicate of a certificate that is already in the directory.
Do not put a file in the directory that is not a valid certificate file.
$ svcadm refresh svc:/system/ca-certificates:default
Verify that the service is online:
$ svcs ca-certificates
If the service is not in the online state, or if the CA does not appear in /etc/certs/ca-certificates.crt, check the service log file:
$ svcs -xL ca-certificates
Updating the certificate and key for multiple systems is easier if you package the certificate and key files. If the certificates need to change, update the package, and then pkg update the package on each system.
file group=sys mode=0644 owner=root path=etc/certs/CA/mycert.pem \ refresh_fmri=svc:/system/ca-certificates:default
The following pkgmogrify rule automates adding this refresh actuator:
<transform file path=etc/certs/CA/.*\.pem -> add refresh_fmri svc:/system/ca-certificates:default>
The /etc, /etc/certs, and /etc/certs/CA directories are already delivered by the system. See Add Necessary Metadata to the Generated Manifest and Verify the Package.