Go to main content

Managing Encryption and Certificates in Oracle® Solaris 11.4

Exit Print View

Updated: May 2021

How to Blacklist Certificates From the Oracle Solaris CA Keystore

Blacklisting prevents Oracle Solaris libraries and programs from using the blacklisted CA certificate. Blacklisted certificates are not copied to the /etc/certs/ca-certificates.crt and are not linked to from the OpenSSL CA certificate directory, /etc/openssl/certs.

Before You Begin

You must assume the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.

  1. Collect the names of blacklisted certificates.
  2. Add the certificates to the ca-certificates SMF service.

    In this example, the administrator adds three blacklisted certificates and verifies that they are in the exclusion list.

    # svccfg -s ca-certificates
    svc:/system/ca-certificates> addpropvalue config/exclude/example astring Example_Root_CA1.pem
    svc:/system/ca-certificates> addpropvalue config/exclude/example astring Example_root_CA_temp1.pem
    svc:/system/ca-certificates> addpropvalue config/exclude/example astring Example_root_CA_temp2.pem
    svc:/system/ca-certificates> listprop config/exclude
    config/exclude            application
    config/exclude/example    astring   'Example_Root_CA1.pem' 'Example_root_CA_temp1.pem' 'Example_root_CA_temp2.pem'
    svc:/system/ca-certificates> exit
  3. Restart the ca-certificates service.
    # /usr/sbin/svcadm restart /system/ca-certificates
  4. Verify that the CA certificate service has restarted.

    When the service restarts, it removes the blacklisted certificates from the /etc/certs/ca-certificates.crt file and the /etc/openssl/certs directory.

    $ svcs -x ca-certificates
    svc:/system/ca-certificates:default (CA Certificates Service)
     State: online since 10:10:10 2017
       See: openssl(5)
       See: /var/svc/log/system-ca-certificates:default.log
    Impact: None.