Next: , Previous: , Up: System Configuration   [Contents][Index]


6.2.9 X.509 Certificates

Web servers available over HTTPS (that is, HTTP over the transport-layer security mechanism, TLS) send client programs an X.509 certificate that the client can then use to authenticate the server. To do that, clients verify that the server’s certificate is signed by a so-called certificate authority (CA). But to verify the CA’s signature, clients must have first acquired the CA’s certificate.

Web browsers such as GNU IceCat include their own set of CA certificates, such that they are able to verify CA signatures out-of-the-box.

However, most other programs that can talk HTTPS—wget, git, w3m, etc.—need to be told where CA certificates can be found.

In GuixSD, this is done by adding a package that provides certificates to the packages field of the operating-system declaration (see operating-system Reference). GuixSD includes one such package, nss-certs, which is a set of CA certificates provided as part of Mozilla’s Network Security Services.

Note that it is not part of %base-packages, so you need to explicitly add it. The /etc/ssl/certs directory, which is where most applications and libraries look for certificates by default, points to the certificates installed globally.

Unprivileged users, including users of Guix on a foreign distro, can also install their own certificate package in their profile. A number of environment variables need to be defined so that applications and libraries know where to find them. Namely, the OpenSSL library honors the SSL_CERT_DIR and SSL_CERT_FILE variables. Some applications add their own environment variables; for instance, the Git version control system honors the certificate bundle pointed to by the GIT_SSL_CAINFO environment variable. Thus, you would typically run something like:

$ guix package -i nss-certs
$ export SSL_CERT_DIR="$HOME/.guix-profile/etc/ssl/certs"
$ export SSL_CERT_FILE="$HOME/.guix-profile/etc/ssl/certs/ca-certificates.crt"
$ export GIT_SSL_CAINFO="$SSL_CERT_FILE"

As another example, R requires the CURL_CA_BUNDLE environment variable to point to a certificate bundle, so you would have to run something like this:

$ guix package -i nss-certs
$ export CURL_CA_BUNDLE="$HOME/.guix-profile/etc/ssl/certs/ca-certificates.crt"

For other applications you may want to look up the required environment variable in the relevant documentation.


Next: , Previous: , Up: System Configuration   [Contents][Index]