I have a Debian box that I would like to talk to a remote server over SSL. The remote server has a self-signed certificate. How can I instruct my local machine to create a permanent security exception for the remote machine?
Note: I need a command line method for this
Can you not just add the remote server and its key to the list of known hosts?
The method I found for doing this is based on material at http://www.madboa.com/geek/openssl/
Step 1: get the cert
use the get-cert.sh script
#!/bin/sh
#
# usage: retrieve-cert.sh remote.host.name [port]
#
REMHOST=$1
REMPORT=${2:-443}
echo |\
openssl s_client -connect ${REMHOST}:${REMPORT} 2>&1 |\
sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'
get the certificate file and save it in /usr/lib/ssl/certs with a .pem extension
Step 2: generate a hash for the cert
#!/bin/sh
#
# usage: certlink.sh filename [filename ...]
for CERTFILE in $*; do
# make sure file exists and is a valid cert
test -f "$CERTFILE" || continue
HASH=$(openssl x509 -noout -hash -in "$CERTFILE")
test -n "$HASH" || continue
# use lowest available iterator for symlink
for ITER in 0 1 2 3 4 5 6 7 8 9; do
test -f "${HASH}.${ITER}" && continue
ln -s "$CERTFILE" "${HASH}.${ITER}"
test -L "${HASH}.${ITER}" && break
done
done
run the certlink.sh script on the file you downloaded in step 1 and then you are done.
The location of the cert files may vary with your operating system.