To ensure that the CLI SSLMODE values, verify-ca and verify-full establish a successful connection to a server, the server’s root certificate and any other intermediate certificates must be imported to the operating system’s trusted certificate stores.
Linux/UNIX
For the supported procedure to install CA certificates into the operating system’s trusted certificate stores, refer to the operating system’s administration guide or security guide. To find and load trusted CA certificates, CLI uses the default operating system locations. The default locations used by CLI for each platform is listed below:
| Operating System | Trusted Certificate Stores Used by CLI |
|---|---|
| AIX | /var/ssl/certs |
| RHEL, CentOS, Oracle Linux | /etc/pki/tls/cert.pem |
| SLES 11, 12, 15 | /etc/ssl/certs |
| Ubuntu | /etc/ssl/certs |
| Solaris Opteron, Solaris Sparc | /etc/ssl/certs |
Windows
For the supported procedure to install CA certificates into the operating system’s trusted certificate stores, refer to the Windows administration or security guides.
For reference, CLI loads trusted CA certificates from the following stores:
Trusted Root Certification Authorities
Intermediate Certification Authorities
Mac OS X
For the supported procedure to install CA certificates into the operating system’s trusted certificate stores, refer to the Mac OS X administration or security guides.
For reference, CLI loads trusted CA certificates from the System Keychain store.
Custom CA Certificate Store
When a user needs to use a custom trusted certificate store, CLI provides two parameters, namely, SSLCA and SSLCAPATH, to specify the path to the store.