Where should I add a trusted certificate?

[Johan]

I want to add a trusted certificate to the openssl used by a plugin (Transmission in case it matters). I can't seem to figure out how the openssl installation used by FreeNAS works. There's a ton of etc directories if you include the jailed/pbied ones, and none of them have the layout I expected. Is this documented somewhere?

 

[Dusan]

Unfortunately this is not possible as the transmission web interface does not support SSL.

 

[Johan]

That's beside the point. I'm not interested in the UI. What I want is https tracker support, which IS in Transmission as far as I know.

 

[Dusan]

Oh, you did not actually mention that in your original post.
Transmission is using curl to fetch data from trackers. Curl in the BT plugin is configured to use this certificate bundle:
/usr/pbi/transmission-amd64/share/certs/ca-root-nss.crt
(you can check the CA path by running /usr/pbi/transmission-amd64/bin/curl-config --ca)
You can override the default by pointing environmental variable CURL_CA_BUNDLE to the cert bundle you want to use.
So, you can either overwrite/append the default cert file, or you can use the env. variable.

 

[Johan]

Ok, thank you. I'll look into the curl angle, but I want to add a particular site certificate that is signed by a CA that I in general don't trust (RapidSSL). So each app does its own SSL, even within one particular plugin?

 

[Dusan]

This is a bit disorganized in the Unix world. For example in FreeBSD there's this port -- http://www.freshports.org/security/ca_root_nss -- that's used by many other ports (see the for Run list). But, although the CA certs in this port come from the Mozilla NSS projects, the Firefox port (http://www.freshports.org/www/firefox/) does not use it. Firefox has it's own separate collection of certs + the interface to edit it.