Making SVN trust a new root CA certificate

If you’re using Subversion to connect to an HTTPS repository that’s signed by a non-standard root certificate — such as a CACert.org certificate, for example — here’s how to do it on Linux or OS X. (Windows users: sorry, you’re out of luck. I haven’t developed on Windows since 1999, and I don’t ever want to go back. So the only way this post will ever be updated with Windows instructions is if someone else figures out how to do it and leaves a comment.)

  • First, download the certificate you’re interested in, e.g. “wget http://www.cacert.org/certs/class1.crt”. I suggest storing it in /etc/ssl/certs with an appropriate name, such as “cacert-root-ca.crt”. You’ll need to have root privileges (use “sudo”) to get write access to the /etc/ssl/certs directory.
  • Run “openssl md5 /etc/ssl/certs/cacert-root-ca.crt” and/or “openssl sha1 /etc/ssl/certs/cacert-root-ca.crt” and compare the results against the certificate fingerprint given on the website. The website you’re downloading this certificate from does give you its MD5 and/or SHA1 fingerprints, right? (If not, what the heck are you doing trusting a certificate you haven’t verified?!?)
  • Run “openssl x509 -text -in /etc/ssl/certs/cacert-root-ca.crt” to verify that the certificate’s data (company name and so on) looks correct.
  • If the above fails, add “-inform der” to the command above: maybe you accidentally downloaded the DER-encoded certificate instead of the PEM-encoded certificate.
  • If you have the DER version, you’ll need to convert it to PEM. Run “sudo openssl x509 -inform der -outform pem -in /etc/ssl/certs/cacert-root-ca.crt -out /etc/ssl/certs/cacert-root-ca.pem”. Note the “sudo” in front of that command: you’re writing to the /etc/ssl/certs directory, so you need to be root.
  • Now that you’ve got a certificate in PEM format and verified it, it’s time to edit your “~/.subversion/servers” file. In the “[globals]” section, add the line “ssl-authority-files = /etc/ssl/certs/cacert-root-ca.crt”. The “ssl-authority-files” option is a colon-delimited list, so if you already have something there and are adding the second certificate to it, use a colon to separate the two paths. If you’re adding a third certificate to the list, then you should already see the colon and be able to figure it out. :-)

I mostly figured this out from the “SSL Certificate Management” section of the Subversion book. Which I highly recommend reading, BTW.

I hope this helps someone else spend a little less time on Google figuring out how to trust a new root CA.