question

Upvotes
Accepted
37 4 3 5

Trustchain for Proxy with EZD

We are planning to proxy EZD (Elektron Zero Daemon) through an F5, and I need to install a specific trust chain onto the server where EZD is running. I am trying to understand how EZD knows where to find the CA trustchain? I cannot find anything in the documentation I have.

elektronrefinitiv-realtimeelektron-sdk
icon clock
10 |1500

Up to 2 attachments (including images) can be used with a maximum of 5.0 MiB each and 10.0 MiB total.

Upvotes
Accepted
23k 22 9 14

Hello @bill.harding,

Please find the response from EZD product development:

"The certificates are installed in the default directory such as /etc/ssl/certs. I believe the EZD is using the openSSL to access this file.

[root@ob1d-ddndrp225a certs]# ls -ltr

total 1708

-rw-r--r--. 1 root root 978662 Dec 20 2013 ca-bundle.trust.crt

-rw-r--r--. 1 root root 757191 Dec 20 2013 ca-bundle.crt

-rwxr-xr-x. 1 root root 829 Jan 8 2014 renew-dummy-cert

-rwxr-xr-x. 1 root root 610 Jan 8 2014 make-dummy-cert

-rw-r--r--. 1 root root 2242 Jan 8 2014 Makefile

[root@ob1d-ddndrp225a certs]# pwd

/etc/ssl/certs"

icon clock
10 |1500

Up to 2 attachments (including images) can be used with a maximum of 5.0 MiB each and 10.0 MiB total.

@zoya.farberov

Does this mean that the certificate would need to be appended to the existing certificates under /etc/ssl/certs (i.e. ca-bundle.trust.crt)? (We have done this, but EZD still doesn't seem to be using our certs).

I could not find any way to configure EZD to point to a specific certificate (i.e. pem).

Upvotes
23k 22 9 14

Hello @bill.harding,

Please see additional info from development team:

The current EZD release is doing some basic certificate authentication against the default system CA store. Unfortunately, there is essentially 0 consistency or standards for where the default system CA store is installed for Linux. So unfortunately, this is a per-distribution(and probably per-distro-version) operation.

Some info here:

https://www.happyassassin.net/2015/01/12/a-note-about-ssltls-trusted-certificate-stores-and-platforms/

and here(this covers redhat 6 and 7, at least):
https://www.happyassassin.net/2015/01/14/trusting-additional-cas-in-fedora-rhel-centos-dont-append-to-etcpkitlscertsca-bundle-crt-or-etcpkitlscert-pem/

icon clock
10 |1500

Up to 2 attachments (including images) can be used with a maximum of 5.0 MiB each and 10.0 MiB total.

Click below to post an Idea Post Idea