Have you had issues with an application complaining about SSL/TLS connectivity to a server?

If the server is using a valid third party signed certificate you should not see issues connecting from a web browser, but maybe you will issues connecting from the command line or from an application.

The way SSL/TLS work in short, is that the client(web browser, command line shell, application, etc) connects to the server and the server responds with a certificate.
This server certificate is signed by a Certificate Authority (CA) and the client checks if the CA is in its trusted Certificate Authorities local database to be able to trust the server certificate.

Web browsers have their own trusted Certifcate Authority databases or use the Operating Systems’ and that is why your browser does rarely complain if the server certificate is signed by a valid CA.

Flow:
Client —-> Server
Server — SSL/TLS certificate –> Client
Client checks server certificate against its CA database to trust or not

Now let’s test from the Linux command line:
// The items in RED are the errors we are getting
// The items in BOLD is the information we need, the certificate and the issuer

We are missing the Issuer (CA) certificate:
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA – G3

…which is what we need to be able to trust the server certificate:
s:/C=US/ST=California/L=City/O=Example Corporation/OU=CIT/CN=*.example.com

[vagrant@vagrant ~]$ openssl s_client -connect site.example.com:443
CONNECTED(00000003)
depth=0 C = US, ST = California, L = City, O = Example Corporation, OU = CIT, CN = *.example.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = US, ST = California, L = City, O = Example Corporation, OU = CIT, CN = *.example.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 C = US, ST = California, L = City, O = Example Corporation, OU = CIT, CN = *.example.com
verify error:num=21:unable to verify the first certificate
verify return:1

Certificate chain
0 s:/C=US/ST=California/L=City/O=Example Corporation/OU=CIT/CN=*.example.com
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA – G3

Server certificate
—–BEGIN CERTIFICATE—–
XXXFTjCCBDagAwIBAgIQGtNpqqohGc6UzXNUYvmQMTANBgkqhkiG9w0BAQUFADCB
tTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDEvMC0GA1UEAxMm
VmVyaVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBIC0gRzMwHhcNMTUwNjI1
MDAwMDAwWhcNMTYwOTIzMjM1OTU5WjCBiDELMAkGA1UEBhMCVVMxEzARBgNVBAgT
CkNhbGlmb3JuaWExFzAVBgNVBAcUDlJlZHdvb2QgU2hvcmVzMRswGQYDVQQKFBJP
cmFjbGUgQ29ycG9yYXRpb24xDDAKBgNVBAsUA0NJVDEgMB4GA1UEAxQXKi5vcmFj
bGVvdXRzb3VyY2luZy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQDTDH4+V9VK1ri9uh5zFpV6+VzpIYQOEHmd4Rg68uS3lzMV/xD+HBVEkenarpVP
uXSQnlP79hguSWfOpX1LpNjHeiy68pWMLMUuXmZiXS8BI0ctyGYb7LntAsGe6Y0N
YTBybpxS8szLPXQ6u+wa+6dfHxswEY6CUc+4wFyFgAVqWaKOKoJwaIUd//BoaGMv
E2Jj4ygnesolWWdqTWURsFS3X08P0nNKbXMCQoMvSp3f3rS+p+q/xVXqfJuAo7wZ
yTEBkTxWI2wDnjyWw3hrkfuxrdrs0YhmddHtchNTt3if3Q1LerDOaR3Hhc+H9fVB
cZYgsuNmSABBqQ30T0B8ZSz1AgMBAAGjggGDMIIBfzA5BgNVHREEMjAwghcqLm9y
YWNsZW91dHNvdXJjaW5nLmNvbYIVb3JhY2xlb3V0c291cmNpbmcuY29tMAkGA1Ud
EwQCMAAwDgYDVR0PAQH/BAQDAgWgMCsGA1UdHwQkMCIwIKAeoByGGmh0dHA6Ly9z
ZC5zeW1jYi5jb20vc2QuY3JsMGEGA1UdIARaMFgwVgYGZ4EMAQICMEwwIwYIKwYB
BQUHAgEWF2h0dHBzOi8vZC5zeW1jYi5jb20vY3BzMCUGCCsGAQUFBwICMBkMF2h0
dHBzOi8vZC5zeW1jYi5jb20vcnBhMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF
BQcDAjAfBgNVHSMEGDAWgBQNRFwWU0TBgn4dIKsl9AFj2L55pTBXBggrBgEFBQcB
AQRLMEkwHwYIKwYBBQUHMAGGE2h0dHA6Ly9zZC5zeW1jZC5jb20wJgYIKwYBBQUH
MAKGGmh0dHA6Ly9zZC5zeW1jYi5jb20vc2QuY3J0MA0GCSqGSIb3DQEBBQUAA4IB
AQBrQknzr4wntvKOGc8YK6RfqaXS+r4XH34DlEPp2kFleNRaiJpo2DTVXr1a+WXQ
omrKl9j4Irbf0Jq4vI0XqYw5Ei8WsvqCMoFXqnCwY2MazYVHRF/IYvCWfjIcySGu
tR/RS+bvpN1+ATt8vNnW7imdca3LjkM0Fw2GVjmaX2CeINpCRkuQ/d28ob46o9D9
VF+/kjc2tVwfabQQCNykRlhYLJDmhKcVI5+swD10+JjddbSAsXpIQFy3FI77idvC
rngbwc0G36Rj3DvcoypUbXoFzsnisy58oieFWRzHPe9DVYh0o/uJj40NJDOLuyEA
EIV237/q67gIYEn6LM8CLXXX
—–END CERTIFICATE—–
subject=/C=US/ST=California/L=City/O=Example Corporation/OU=CIT/CN=*.example.com
issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA – G3


No client certificate CA names sent

SSL handshake has read 1547 bytes and written 591 bytes

New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : AES128-SHA
Session-ID: 6A6F797F1318EC872CBD4DD899493DB949E08F78A050580F70F9621ABB0ACE0C
Session-ID-ctx:
Master-Key: 4E12620FCE8592D4D272E58D9DC9C313D4A6D83B2956880279F58526526B9AB0AF8A9660AEB40F03FF46CDDFCB970A74
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1439626705
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)

DONE

# Get CA Issuer Certificate(s)

Now that we know we are missing the Issuer certificate we need to get it from the Certificate Authority website. In this specific case we need:
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA – G3

Later you will have the exact same issue with the ‘VeriSign Class 3 Secure Server CA – G3’ certificate because it will be asking for its Issuer certificate ‘VeriSign Class 3 Public Primary Certification Authority – G5’, so you will need to get that Certificate as well.

I searched online for both and found them at:
https://www.tbs-certificates.co.uk/FAQ/en/565.html
https://www.tbs-certificates.co.uk/FAQ/en/599.html

Take everything from —–BEGIN CERTIFICATE—– to —–END CERTIFICATE—– and put them in files (e.g. verisign_class_3_secure_server_ca_g3.pem) and (e.g. verisign_class_3_secure_server_ca_g5.pem)

Having both files will ensure you have the entire Trust Chain:
*.example.com CERT trusted by ‘VeriSign Class 3 Secure Server CA – G3’ CERT trusted by ‘VeriSign Class 3 Public Primary Certification Authority – G5’

$ cat /tmp/ca_trust/verisign_class_3_secure_server_ca_g3.pem

—–BEGIN CERTIFICATE—–
MIIF7DCCBNSgAwIBAgIQbsx6pacDIAm4zrz06VLUkTANBgkqhkiG9w0BAQUFADCB
yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJp
U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxW
ZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0
aG9yaXR5IC0gRzUwHhcNMTAwMjA4MDAwMDAwWhcNMjAwMjA3MjM1OTU5WjCBtTEL
MAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZW
ZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQg
aHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDEvMC0GA1UEAxMmVmVy
aVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBIC0gRzMwggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQCxh4QfwgxF9byrJZenraI+nLr2wTm4i8rCrFbG
5btljkRPTc5v7QlK1K9OEJxoiy6Ve4mbE8riNDTB81vzSXtig0iBdNGIeGwCU/m8
f0MmV1gzgzszChew0E6RJK2GfWQS3HRKNKEdCuqWHQsV/KNLO85jiND4LQyUhhDK
tpo9yus3nABINYYpUHjoRWPNGUFP9ZXse5jUxHGzUL4os4+guVOc9cosI6n9FAbo
GLSa6Dxugf3kzTU2s1HTaewSulZub5tXxYsU5w7HnO1KVGrJTcW/EbGuHGeBy0RV
M5l/JJs/U0V/hhrzPPptf4H1uErT9YU3HLWm0AnkGHs4TvoPAgMBAAGjggHfMIIB
2zA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLnZlcmlz
aWduLmNvbTASBgNVHRMBAf8ECDAGAQH/AgEAMHAGA1UdIARpMGcwZQYLYIZIAYb4
RQEHFwMwVjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL2Nw
czAqBggrBgEFBQcCAjAeGhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhMDQG
A1UdHwQtMCswKaAnoCWGI2h0dHA6Ly9jcmwudmVyaXNpZ24uY29tL3BjYTMtZzUu
Y3JsMA4GA1UdDwEB/wQEAwIBBjBtBggrBgEFBQcBDARhMF+hXaBbMFkwVzBVFglp
bWFnZS9naWYwITAfMAcGBSsOAwIaBBSP5dMahqyNjmvDz4Bq1EgYLHsZLjAlFiNo
dHRwOi8vbG9nby52ZXJpc2lnbi5jb20vdnNsb2dvLmdpZjAoBgNVHREEITAfpB0w
GzEZMBcGA1UEAxMQVmVyaVNpZ25NUEtJLTItNjAdBgNVHQ4EFgQUDURcFlNEwYJ+
HSCrJfQBY9i+eaUwHwYDVR0jBBgwFoAUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMwDQYJ
KoZIhvcNAQEFBQADggEBAAyDJO/dwwzZWJz+NrbrioBL0aP3nfPMU++CnqOh5pfB
WJ11bOAdG0z60cEtBcDqbrIicFXZIDNAMwfCZYP6j0M3m+oOmmxw7vacgDvZN/R6
bezQGH1JSsqZxxkoor7YdyT3hSaGbYcFQEFn0Sc67dxIHSLNCwuLvPSxe/20majp
dirhGi2HbnTTiN0eIsbfFrYrghQKlFzyUOyvzv9iNw2tZdMGQVPtAhTItVgooazg
W+yzf5VK+wPIrSbb5mZ4EkrZn0L74ZjmQoObj49nJOhhGbXdzbULJgWOw27EyHW4
Rs/iGAZeqa6ogZpHFt4MKGwlJ7net4RYxh84HqTEy2Y=
—–END CERTIFICATE—–

$ cat /tmp/ca_certs/verisign_class_3_secure_server_ca_g5.pem

—–BEGIN CERTIFICATE—–
MIIE0zCCA7ugAwIBAgIQGNrRniZ96LtKIVjNzGs7SjANBgkqhkiG9w0BAQUFADCB
yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJp
U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxW
ZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0
aG9yaXR5IC0gRzUwHhcNMDYxMTA4MDAwMDAwWhcNMzYwNzE2MjM1OTU5WjCByjEL
MAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZW
ZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJpU2ln
biwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJp
U2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9y
aXR5IC0gRzUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvJAgIKXo1
nmAMqudLO07cfLw8RRy7K+D+KQL5VwijZIUVJ/XxrcgxiV0i6CqqpkKzj/i5Vbex
t0uz/o9+B1fs70PbZmIVYc9gDaTY3vjgw2IIPVQT60nKWVSFJuUrjxuf6/WhkcIz
SdhDY2pSS9KP6HBRTdGJaXvHcPaz3BJ023tdS1bTlr8Vd6Gw9KIl8q8ckmcY5fQG
BO+QueQA5N06tRn/Arr0PO7gi+s3i+z016zy9vA9r911kTMZHRxAy3QkGSGT2RT+
rCpSx4/VBEnkjWNHiDxpg8v+R70rfk/Fla4OndTRQ8Bnc+MUCH7lP59zuDMKz10/
NIeWiu5T6CUVAgMBAAGjgbIwga8wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8E
BAMCAQYwbQYIKwYBBQUHAQwEYTBfoV2gWzBZMFcwVRYJaW1hZ2UvZ2lmMCEwHzAH
BgUrDgMCGgQUj+XTGoasjY5rw8+AatRIGCx7GS4wJRYjaHR0cDovL2xvZ28udmVy
aXNpZ24uY29tL3ZzbG9nby5naWYwHQYDVR0OBBYEFH/TZafC3ey78DAJ80M5+gKv
MzEzMA0GCSqGSIb3DQEBBQUAA4IBAQCTJEowX2LP2BqYLz3q3JktvXf2pXkiOOzE
p6B4Eq1iDkVwZMXnl2YtmAl+X6/WzChl8gGqCBpH3vn5fJJaCGkgDdk+bW48DW7Y
5gaRQBi5+MHt39tBquCWIMnNZBU4gcmU7qKEKQsTb47bDN0lAtukixlE0kF6BWlK
WE9gyn6CagsCqiUXObXbf+eEZSqVir2G3l6BFoMtEMze/aiCKm0oHw0LxOXnGiYZ
4fQRbxC1lfznQgUy286dUV4otp6F01vvpX1FQHKOtw5rDgb7MzVIcbidJ4vEZV8N
hnacRHr2lVz2XTIIM6RUthg/aFzyQkqFOFSDX9HoLPKsEdao7WNq
—–END CERTIFICATE—–

# Check CA Issuer Certificates Details

$ openssl x509 -in verisign_class_3_secure_server_ca_g3.pem -text  

Certificate:
Data:
Version: 3 (0x2)
Serial Number:
6e:cc:7a:a5:a7:03:20:09:b8:ce:bc:f4:e9:52:d4:91
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. – For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority – G5
Validity
Not Before: Feb 8 00:00:00 2010 GMT
Not After : Feb 7 23:59:59 2020 GMT
Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Secure Server CA – G3
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:b1:87:84:1f:c2:0c:45:f5:bc:ab:25:97:a7:ad:
a2:3e:9c:ba:f6:c1:39:b8:8b:ca:c2:ac:56:c6:e5:
bb:65:8e:44:4f:4d:ce:6f:ed:09:4a:d4:af:4e:10:
9c:68:8b:2e:95:7b:89:9b:13:ca:e2:34:34:c1:f3:
5b:f3:49:7b:62:83:48:81:74:d1:88:78:6c:02:53:
f9:bc:7f:43:26:57:58:33:83:3b:33:0a:17:b0:d0:
4e:91:24:ad:86:7d:64:12:dc:74:4a:34:a1:1d:0a:
ea:96:1d:0b:15:fc:a3:4b:3b:ce:63:88:d0:f8:2d:
0c:94:86:10:ca:b6:9a:3d:ca:eb:37:9c:00:48:35:
86:29:50:78:e8:45:63:cd:19:41:4f:f5:95:ec:7b:
98:d4:c4:71:b3:50:be:28:b3:8f:a0:b9:53:9c:f5:
ca:2c:23:a9:fd:14:06:e8:18:b4:9a:e8:3c:6e:81:
fd:e4:cd:35:36:b3:51:d3:69:ec:12:ba:56:6e:6f:
9b:57:c5:8b:14:e7:0e:c7:9c:ed:4a:54:6a:c9:4d:
c5:bf:11:b1:ae:1c:67:81:cb:44:55:33:99:7f:24:
9b:3f:53:45:7f:86:1a:f3:3c:fa:6d:7f:81:f5:b8:
4a:d3:f5:85:37:1c:b5:a6:d0:09:e4:18:7b:38:4e:
fa:0f
Exponent: 65537 (0x10001)
X509v3 extensions:
Authority Information Access:
OCSP – URI:http://ocsp.verisign.com

X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Certificate Policies:
Policy: 2.16.840.1.113733.1.7.23.3
CPS: https://www.verisign.com/cps
User Notice:
Explicit Text: https://www.verisign.com/rpa

X509v3 CRL Distribution Points:
URI:http://crl.verisign.com/pca3-g5.crl

X509v3 Key Usage: critical
Certificate Sign, CRL Sign
1.3.6.1.5.5.7.1.12:
0_.].[0Y0W0U..image/gif0!0.0…+…………..k…j.H.,{..0%.#http://logo.verisign.com/vslogo.gif
X509v3 Subject Alternative Name:
DirName:/CN=VeriSignMPKI-2-6
X509v3 Subject Key Identifier:
0D:44:5C:16:53:44:C1:82:7E:1D:20:AB:25:F4:01:63:D8:BE:79:A5
X509v3 Authority Key Identifier:
keyid:7F:D3:65:A7:C2:DD:EC:BB:F0:30:09:F3:43:39:FA:02:AF:33:31:33

Signature Algorithm: sha1WithRSAEncryption
0c:83:24:ef:dd:c3:0c:d9:58:9c:fe:36:b6:eb:8a:80:4b:d1:
a3:f7:9d:f3:cc:53:ef:82:9e:a3:a1:e6:97:c1:58:9d:75:6c:
e0:1d:1b:4c:fa:d1:c1:2d:05:c0:ea:6e:b2:22:70:55:d9:20:
33:40:33:07:c2:65:83:fa:8f:43:37:9b:ea:0e:9a:6c:70:ee:
f6:9c:80:3b:d9:37:f4:7a:6d:ec:d0:18:7d:49:4a:ca:99:c7:
19:28:a2:be:d8:77:24:f7:85:26:86:6d:87:05:40:41:67:d1:
27:3a:ed:dc:48:1d:22:cd:0b:0b:8b:bc:f4:b1:7b:fd:b4:99:
a8:e9:76:2a:e1:1a:2d:87:6e:74:d3:88:dd:1e:22:c6:df:16:
b6:2b:82:14:0a:94:5c:f2:50:ec:af:ce:ff:62:37:0d:ad:65:
d3:06:41:53:ed:02:14:c8:b5:58:28:a1:ac:e0:5b:ec:b3:7f:
95:4a:fb:03:c8:ad:26:db:e6:66:78:12:4a:d9:9f:42:fb:e1:
98:e6:42:83:9b:8f:8f:67:24:e8:61:19:b5:dd:cd:b5:0b:26:
05:8e:c3:6e:c4:c8:75:b8:46:cf:e2:18:06:5e:a9:ae:a8:81:
9a:47:16:de:0c:28:6c:25:27:b9:de:b7:84:58:c6:1f:38:1e:
a4:c4:cb:66
—–BEGIN CERTIFICATE—–
MIIF7DCCBNSgAwIBAgIQbsx6pacDIAm4zrz06VLUkTANBgkqhkiG9w0BAQUFADCB
yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJp
U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxW
ZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0
aG9yaXR5IC0gRzUwHhcNMTAwMjA4MDAwMDAwWhcNMjAwMjA3MjM1OTU5WjCBtTEL
MAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZW
ZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQg
aHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDEvMC0GA1UEAxMmVmVy
aVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBIC0gRzMwggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQCxh4QfwgxF9byrJZenraI+nLr2wTm4i8rCrFbG
5btljkRPTc5v7QlK1K9OEJxoiy6Ve4mbE8riNDTB81vzSXtig0iBdNGIeGwCU/m8
f0MmV1gzgzszChew0E6RJK2GfWQS3HRKNKEdCuqWHQsV/KNLO85jiND4LQyUhhDK
tpo9yus3nABINYYpUHjoRWPNGUFP9ZXse5jUxHGzUL4os4+guVOc9cosI6n9FAbo
GLSa6Dxugf3kzTU2s1HTaewSulZub5tXxYsU5w7HnO1KVGrJTcW/EbGuHGeBy0RV
M5l/JJs/U0V/hhrzPPptf4H1uErT9YU3HLWm0AnkGHs4TvoPAgMBAAGjggHfMIIB
2zA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLnZlcmlz
aWduLmNvbTASBgNVHRMBAf8ECDAGAQH/AgEAMHAGA1UdIARpMGcwZQYLYIZIAYb4
RQEHFwMwVjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL2Nw
czAqBggrBgEFBQcCAjAeGhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhMDQG
A1UdHwQtMCswKaAnoCWGI2h0dHA6Ly9jcmwudmVyaXNpZ24uY29tL3BjYTMtZzUu
Y3JsMA4GA1UdDwEB/wQEAwIBBjBtBggrBgEFBQcBDARhMF+hXaBbMFkwVzBVFglp
bWFnZS9naWYwITAfMAcGBSsOAwIaBBSP5dMahqyNjmvDz4Bq1EgYLHsZLjAlFiNo
dHRwOi8vbG9nby52ZXJpc2lnbi5jb20vdnNsb2dvLmdpZjAoBgNVHREEITAfpB0w
GzEZMBcGA1UEAxMQVmVyaVNpZ25NUEtJLTItNjAdBgNVHQ4EFgQUDURcFlNEwYJ+
HSCrJfQBY9i+eaUwHwYDVR0jBBgwFoAUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMwDQYJ
KoZIhvcNAQEFBQADggEBAAyDJO/dwwzZWJz+NrbrioBL0aP3nfPMU++CnqOh5pfB
WJ11bOAdG0z60cEtBcDqbrIicFXZIDNAMwfCZYP6j0M3m+oOmmxw7vacgDvZN/R6
bezQGH1JSsqZxxkoor7YdyT3hSaGbYcFQEFn0Sc67dxIHSLNCwuLvPSxe/20majp
dirhGi2HbnTTiN0eIsbfFrYrghQKlFzyUOyvzv9iNw2tZdMGQVPtAhTItVgooazg
W+yzf5VK+wPIrSbb5mZ4EkrZn0L74ZjmQoObj49nJOhhGbXdzbULJgWOw27EyHW4
Rs/iGAZeqa6ogZpHFt4MKGwlJ7net4RYxh84HqTEy2Y=
—–END CERTIFICATE—–

$ openssl x509 -in verisign_class_3_secure_server_ca_g5.pem -text  

Certificate:
Data:
Version: 3 (0x2)
Serial Number:
18:da:d1:9e:26:7d:e8:bb:4a:21:58:cd:cc:6b:3b:4a
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. – For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority – G5
Validity
Not Before: Nov 8 00:00:00 2006 GMT
Not After : Jul 16 23:59:59 2036 GMT
Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. – For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority – G5
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:af:24:08:08:29:7a:35:9e:60:0c:aa:e7:4b:3b:
4e:dc:7c:bc:3c:45:1c:bb:2b:e0:fe:29:02:f9:57:
08:a3:64:85:15:27:f5:f1:ad:c8:31:89:5d:22:e8:
2a:aa:a6:42:b3:8f:f8:b9:55:b7:b1:b7:4b:b3:fe:
8f:7e:07:57:ec:ef:43:db:66:62:15:61:cf:60:0d:
a4:d8:de:f8:e0:c3:62:08:3d:54:13:eb:49:ca:59:
54:85:26:e5:2b:8f:1b:9f:eb:f5:a1:91:c2:33:49:
d8:43:63:6a:52:4b:d2:8f:e8:70:51:4d:d1:89:69:
7b:c7:70:f6:b3:dc:12:74:db:7b:5d:4b:56:d3:96:
bf:15:77:a1:b0:f4:a2:25:f2:af:1c:92:67:18:e5:
f4:06:04:ef:90:b9:e4:00:e4:dd:3a:b5:19:ff:02:
ba:f4:3c:ee:e0:8b:eb:37:8b:ec:f4:d7:ac:f2:f6:
f0:3d:af:dd:75:91:33:19:1d:1c:40:cb:74:24:19:
21:93:d9:14:fe:ac:2a:52:c7:8f:d5:04:49:e4:8d:
63:47:88:3c:69:83:cb:fe:47:bd:2b:7e:4f:c5:95:
ae:0e:9d:d4:d1:43:c0:67:73:e3:14:08:7e:e5:3f:
9f:73:b8:33:0a:cf:5d:3f:34:87:96:8a:ee:53:e8:
25:15
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
1.3.6.1.5.5.7.1.12:
0_.].[0Y0W0U..image/gif0!0.0…+…………..k…j.H.,{..0%.#http://logo.verisign.com/vslogo.gif
X509v3 Subject Key Identifier:
7F:D3:65:A7:C2:DD:EC:BB:F0:30:09:F3:43:39:FA:02:AF:33:31:33
Signature Algorithm: sha1WithRSAEncryption
93:24:4a:30:5f:62:cf:d8:1a:98:2f:3d:ea:dc:99:2d:bd:77:
f6:a5:79:22:38:ec:c4:a7:a0:78:12:ad:62:0e:45:70:64:c5:
e7:97:66:2d:98:09:7e:5f:af:d6:cc:28:65:f2:01:aa:08:1a:
47:de:f9:f9:7c:92:5a:08:69:20:0d:d9:3e:6d:6e:3c:0d:6e:
d8:e6:06:91:40:18:b9:f8:c1:ed:df:db:41:aa:e0:96:20:c9:
cd:64:15:38:81:c9:94:ee:a2:84:29:0b:13:6f:8e:db:0c:dd:
25:02:db:a4:8b:19:44:d2:41:7a:05:69:4a:58:4f:60:ca:7e:
82:6a:0b:02:aa:25:17:39:b5:db:7f:e7:84:65:2a:95:8a:bd:
86:de:5e:81:16:83:2d:10:cc:de:fd:a8:82:2a:6d:28:1f:0d:
0b:c4:e5:e7:1a:26:19:e1:f4:11:6f:10:b5:95:fc:e7:42:05:
32:db:ce:9d:51:5e:28:b6:9e:85:d3:5b:ef:a5:7d:45:40:72:
8e:b7:0e:6b:0e:06:fb:33:35:48:71:b8:9d:27:8b:c4:65:5f:
0d:86:76:9c:44:7a:f6:95:5c:f6:5d:32:08:33:a4:54:b6:18:
3f:68:5c:f2:42:4a:85:38:54:83:5f:d1:e8:2c:f2:ac:11:d6:
a8:ed:63:6a
—–BEGIN CERTIFICATE—–
MIIE0zCCA7ugAwIBAgIQGNrRniZ96LtKIVjNzGs7SjANBgkqhkiG9w0BAQUFADCB
yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJp
U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxW
ZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0
aG9yaXR5IC0gRzUwHhcNMDYxMTA4MDAwMDAwWhcNMzYwNzE2MjM1OTU5WjCByjEL
MAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZW
ZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJpU2ln
biwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJp
U2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9y
aXR5IC0gRzUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvJAgIKXo1
nmAMqudLO07cfLw8RRy7K+D+KQL5VwijZIUVJ/XxrcgxiV0i6CqqpkKzj/i5Vbex
t0uz/o9+B1fs70PbZmIVYc9gDaTY3vjgw2IIPVQT60nKWVSFJuUrjxuf6/WhkcIz
SdhDY2pSS9KP6HBRTdGJaXvHcPaz3BJ023tdS1bTlr8Vd6Gw9KIl8q8ckmcY5fQG
BO+QueQA5N06tRn/Arr0PO7gi+s3i+z016zy9vA9r911kTMZHRxAy3QkGSGT2RT+
rCpSx4/VBEnkjWNHiDxpg8v+R70rfk/Fla4OndTRQ8Bnc+MUCH7lP59zuDMKz10/
NIeWiu5T6CUVAgMBAAGjgbIwga8wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8E
BAMCAQYwbQYIKwYBBQUHAQwEYTBfoV2gWzBZMFcwVRYJaW1hZ2UvZ2lmMCEwHzAH
BgUrDgMCGgQUj+XTGoasjY5rw8+AatRIGCx7GS4wJRYjaHR0cDovL2xvZ28udmVy
aXNpZ24uY29tL3ZzbG9nby5naWYwHQYDVR0OBBYEFH/TZafC3ey78DAJ80M5+gKv
MzEzMA0GCSqGSIb3DQEBBQUAA4IBAQCTJEowX2LP2BqYLz3q3JktvXf2pXkiOOzE
p6B4Eq1iDkVwZMXnl2YtmAl+X6/WzChl8gGqCBpH3vn5fJJaCGkgDdk+bW48DW7Y
5gaRQBi5+MHt39tBquCWIMnNZBU4gcmU7qKEKQsTb47bDN0lAtukixlE0kF6BWlK
WE9gyn6CagsCqiUXObXbf+eEZSqVir2G3l6BFoMtEMze/aiCKm0oHw0LxOXnGiYZ
4fQRbxC1lfznQgUy286dUV4otp6F01vvpX1FQHKOtw5rDgb7MzVIcbidJ4vEZV8N
hnacRHr2lVz2XTIIM6RUthg/aFzyQkqFOFSDX9HoLPKsEdao7WNq
—–END CERTIFICATE—–

# Trust the CA Issuer Certificates

There are several ways to do it, see below for some and their pros/cons.

1) Put the CA Issuer certificates in pem format in a folder, and use them directly from the application

This is good for a quick test, but I don’t recommended it as standard operating procedure because you have to manage each set of certs and have the applications point to hardcoded paths.

// Create dir to hold certs

mkdir /tmp/ca_certs

// Put the CA issuer cert in the directory

mv verisign_class_3_secure_server_ca_g3.pem /tmp/ca_certs
mv verisign_class_3_secure_server_ca_g5.pem /tmp/ca_certs

// Create symbolic links needed

$ c_rehash /tmp/ca_certs/
Doing /tmp/ca_certs/
verisign_class_3_secure_server_ca_g3.pem => 46117fcc.0
verisign_class_3_secure_server_ca_g5.pem => b204d74a.0

// Verify successful connectivity by passing the CApath

$ openssl s_client -CApath /tmp/ca_trust/ -connect site.example.com:443

CONNECTED(00000003)
depth=2 C = US, O = “VeriSign, Inc.”, OU = VeriSign Trust Network, OU = “(c) 2006 VeriSign, Inc. – For authorized use only”, CN = VeriSign Class 3 Public Primary Certification Authority – G5
verify return:1
depth=1 C = US, O = “VeriSign, Inc.”, OU = VeriSign Trust Network, OU = Terms of use at https://www.verisign.com/rpa (c)10, CN = VeriSign Class 3 Secure Server CA – G3
verify return:1
depth=0 C = US, ST = California, L = City, O = Example Corporation, OU = CIT, CN = *.Example.com
verify return:1

Certificate chain
0 s:/C=US/ST=California/L=City/O=Example Corporation/OU=CIT/CN=*.Example.com
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA – G3

Server certificate
—–BEGIN CERTIFICATE—–
MIIFTjCCBDagAwIBAgIQGtNpqqohGc6UzXNUYvmQMTANBgkqhkiG9w0BAQUFADCB
tTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDEvMC0GA1UEAxMm
VmVyaVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBIC0gRzMwHhcNMTUwNjI1
MDAwMDAwWhcNMTYwOTIzMjM1OTU5WjCBiDELMAkGA1UEBhMCVVMxEzARBgNVBAgT
CkNhbGlmb3JuaWExFzAVBgNVBAcUDlJlZHdvb2QgU2hvcmVzMRswGQYDVQQKFBJP
cmFjbGUgQ29ycG9yYXRpb24xDDAKBgNVBAsUA0NJVDEgMB4GA1UEAxQXKi5vcmFj
bGVvdXRzb3VyY2luZy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQDTDH4+V9VK1ri9uh5zFpV6+VzpIYQOEHmd4Rg68uS3lzMV/xD+HBVEkenarpVP
uXSQnlP79hguSWfOpX1LpNjHeiy68pWMLMUuXmZiXS8BI0ctyGYb7LntAsGe6Y0N
YTBybpxS8szLPXQ6u+wa+6dfHxswEY6CUc+4wFyFgAVqWaKOKoJwaIUd//BoaGMv
E2Jj4ygnesolWWdqTWURsFS3X08P0nNKbXMCQoMvSp3f3rS+p+q/xVXqfJuAo7wZ
yTEBkTxWI2wDnjyWw3hrkfuxrdrs0YhmddHtchNTt3if3Q1LerDOaR3Hhc+H9fVB
cZYgsuNmSABBqQ30T0B8ZSz1AgMBAAGjggGDMIIBfzA5BgNVHREEMjAwghcqLm9y
YWNsZW91dHNvdXJjaW5nLmNvbYIVb3JhY2xlb3V0c291cmNpbmcuY29tMAkGA1Ud
EwQCMAAwDgYDVR0PAQH/BAQDAgWgMCsGA1UdHwQkMCIwIKAeoByGGmh0dHA6Ly9z
ZC5zeW1jYi5jb20vc2QuY3JsMGEGA1UdIARaMFgwVgYGZ4EMAQICMEwwIwYIKwYB
BQUHAgEWF2h0dHBzOi8vZC5zeW1jYi5jb20vY3BzMCUGCCsGAQUFBwICMBkMF2h0
dHBzOi8vZC5zeW1jYi5jb20vcnBhMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF
BQcDAjAfBgNVHSMEGDAWgBQNRFwWU0TBgn4dIKsl9AFj2L55pTBXBggrBgEFBQcB
AQRLMEkwHwYIKwYBBQUHMAGGE2h0dHA6Ly9zZC5zeW1jZC5jb20wJgYIKwYBBQUH
MAKGGmh0dHA6Ly9zZC5zeW1jYi5jb20vc2QuY3J0MA0GCSqGSIb3DQEBBQUAA4IB
AQBrQknzr4wntvKOGc8YK6RfqaXS+r4XH34DlEPp2kFleNRaiJpo2DTVXr1a+WXQ
omrKl9j4Irbf0Jq4vI0XqYw5Ei8WsvqCMoFXqnCwY2MazYVHRF/IYvCWfjIcySGu
tR/RS+bvpN1+ATt8vNnW7imdca3LjkM0Fw2GVjmaX2CeINpCRkuQ/d28ob46o9D9
VF+/kjc2tVwfabQQCNykRlhYLJDmhKcVI5+swD10+JjddbSAsXpIQFy3FI77idvC
rngbwc0G36Rj3DvcoypUbXoFzsnisy58oieFWRzHPe9DVYh0o/uJj40NJDOLuyEA
EIV237/q67gIYEn6LM8CLah9
—–END CERTIFICATE—–
subject=/C=US/ST=California/L=City/O=Example Corporation/OU=CIT/CN=*.Example.com
issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA – G3

No client certificate CA names sent

SSL handshake has read 1547 bytes and written 591 bytes

New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : AES128-SHA
Session-ID: 6A6F797F1318E8462CBD4DD899493DB949E08F78A0505C4E70F9621ABB0AA280
Session-ID-ctx:
Master-Key: 50D309E782DF245FA36BD1028197459FE1A56B976D947D2994BBB75A0754D18AD44A90F29AC818DB28562F0E9E2E5442
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1439631686
Timeout : 300 (sec)
Verify return code: 0 (ok)

2) Append the CA Issuer Certificates to the OS certificate bundle (/etc/pki/tls/certs/ca-bundle.crt)

This is not recommended as standard operating procedure because patches/updates will overwrite the certificate bundle file (/etc/pki/tls/certs/ca-bundle.crt) and the certificates you had added wont be trusted anymore

$ sudo bash -c  'cat /tmp/ca_certs/verisign_class_3_secure_server_ca_g{3,5}* >> /etc/pki/tls/certs/ca-bundle.crt'

// Verify successful connectivity

$ openssl s_client -connect site.example.com:443

CONNECTED(00000003)
depth=2 C = US, O = “VeriSign, Inc.”, OU = VeriSign Trust Network, OU = “(c) 2006 VeriSign, Inc. – For authorized use only”, CN = VeriSign Class 3 Public Primary Certification Authority – G5
verify return:1
depth=1 C = US, O = “VeriSign, Inc.”, OU = VeriSign Trust Network, OU = Terms of use at https://www.verisign.com/rpa (c)10, CN = VeriSign Class 3 Secure Server CA – G3
verify return:1
depth=0 C = US, ST = California, L = City, O = Example Corporation, OU = CIT, CN = *.Example.com
verify return:1

Certificate chain
0 s:/C=US/ST=California/L=City/O=Example Corporation/OU=CIT/CN=*.Example.com
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA – G3

Server certificate
—–BEGIN CERTIFICATE—–
MIIFTjCCBDagAwIBAgIQGtNpqqohGc6UzXNUYvmQMTANBgkqhkiG9w0BAQUFADCB
tTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDEvMC0GA1UEAxMm
VmVyaVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBIC0gRzMwHhcNMTUwNjI1
MDAwMDAwWhcNMTYwOTIzMjM1OTU5WjCBiDELMAkGA1UEBhMCVVMxEzARBgNVBAgT
CkNhbGlmb3JuaWExFzAVBgNVBAcUDlJlZHdvb2QgU2hvcmVzMRswGQYDVQQKFBJP
cmFjbGUgQ29ycG9yYXRpb24xDDAKBgNVBAsUA0NJVDEgMB4GA1UEAxQXKi5vcmFj
bGVvdXRzb3VyY2luZy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQDTDH4+V9VK1ri9uh5zFpV6+VzpIYQOEHmd4Rg68uS3lzMV/xD+HBVEkenarpVP
uXSQnlP79hguSWfOpX1LpNjHeiy68pWMLMUuXmZiXS8BI0ctyGYb7LntAsGe6Y0N
YTBybpxS8szLPXQ6u+wa+6dfHxswEY6CUc+4wFyFgAVqWaKOKoJwaIUd//BoaGMv
E2Jj4ygnesolWWdqTWURsFS3X08P0nNKbXMCQoMvSp3f3rS+p+q/xVXqfJuAo7wZ
yTEBkTxWI2wDnjyWw3hrkfuxrdrs0YhmddHtchNTt3if3Q1LerDOaR3Hhc+H9fVB
cZYgsuNmSABBqQ30T0B8ZSz1AgMBAAGjggGDMIIBfzA5BgNVHREEMjAwghcqLm9y
YWNsZW91dHNvdXJjaW5nLmNvbYIVb3JhY2xlb3V0c291cmNpbmcuY29tMAkGA1Ud
EwQCMAAwDgYDVR0PAQH/BAQDAgWgMCsGA1UdHwQkMCIwIKAeoByGGmh0dHA6Ly9z
ZC5zeW1jYi5jb20vc2QuY3JsMGEGA1UdIARaMFgwVgYGZ4EMAQICMEwwIwYIKwYB
BQUHAgEWF2h0dHBzOi8vZC5zeW1jYi5jb20vY3BzMCUGCCsGAQUFBwICMBkMF2h0
dHBzOi8vZC5zeW1jYi5jb20vcnBhMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF
BQcDAjAfBgNVHSMEGDAWgBQNRFwWU0TBgn4dIKsl9AFj2L55pTBXBggrBgEFBQcB
AQRLMEkwHwYIKwYBBQUHMAGGE2h0dHA6Ly9zZC5zeW1jZC5jb20wJgYIKwYBBQUH
MAKGGmh0dHA6Ly9zZC5zeW1jYi5jb20vc2QuY3J0MA0GCSqGSIb3DQEBBQUAA4IB
AQBrQknzr4wntvKOGc8YK6RfqaXS+r4XH34DlEPp2kFleNRaiJpo2DTVXr1a+WXQ
omrKl9j4Irbf0Jq4vI0XqYw5Ei8WsvqCMoFXqnCwY2MazYVHRF/IYvCWfjIcySGu
tR/RS+bvpN1+ATt8vNnW7imdca3LjkM0Fw2GVjmaX2CeINpCRkuQ/d28ob46o9D9
VF+/kjc2tVwfabQQCNykRlhYLJDmhKcVI5+swD10+JjddbSAsXpIQFy3FI77idvC
rngbwc0G36Rj3DvcoypUbXoFzsnisy58oieFWRzHPe9DVYh0o/uJj40NJDOLuyEA
EIV237/q67gIYEn6LM8CLah9
—–END CERTIFICATE—–
subject=/C=US/ST=California/L=City/O=Example Corporation/OU=CIT/CN=*.Example.com
issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA – G3

No client certificate CA names sent

SSL handshake has read 1547 bytes and written 591 bytes

New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : AES128-SHA
Session-ID: 6A6F797F1318E8462CBD4DD899493DB949E08F78A0505C4E70F9621ABB0AA280
Session-ID-ctx:
Master-Key: 50D309E782DF245FA36BD1028197459FE1A56B976D947D2994BBB75A0754D18AD44A90F29AC818DB28562F0E9E2E5442
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1439631686
Timeout : 300 (sec)
Verify return code: 0 (ok)

3) Use the SharedSystemCertificates (*** Recommended ***)
This is the recommended way of adding trusted CA certificates to your RHEL/CentOS systems.
The idea is to make NSS, GnuTLS, OpenSSL and Java share a default source for retrieving system certificate anchors and black list information, details @ https://fedoraproject.org/wiki/Features/SharedSystemCertificates

// Enable the CA trust capability

/usr/bin/update-ca-trust enable

// Copy/Move the Issuer CA certificates to /etc/pki/ca-trust/source/anchors/

$ sudo cp /tmp/ca_certs/verisign_class_3_secure_server_ca_g{3,5}* /etc/pki/ca-trust/source/anchors/

// Update the CA trust

/usr/bin/update-ca-trust extract

// Verify successful connectivity

$ openssl s_client -connect site.example.com:443

CONNECTED(00000003)
depth=2 C = US, O = “VeriSign, Inc.”, OU = VeriSign Trust Network, OU = “(c) 2006 VeriSign, Inc. – For authorized use only”, CN = VeriSign Class 3 Public Primary Certification Authority – G5
verify return:1
depth=1 C = US, O = “VeriSign, Inc.”, OU = VeriSign Trust Network, OU = Terms of use at https://www.verisign.com/rpa (c)10, CN = VeriSign Class 3 Secure Server CA – G3
verify return:1
depth=0 C = US, ST = California, L = City, O = Example Corporation, OU = CIT, CN = *.Example.com
verify return:1

Certificate chain
0 s:/C=US/ST=California/L=City/O=Example Corporation/OU=CIT/CN=*.Example.com
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA – G3

Server certificate
—–BEGIN CERTIFICATE—–
MIIFTjCCBDagAwIBAgIQGtNpqqohGc6UzXNUYvmQMTANBgkqhkiG9w0BAQUFADCB
tTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDEvMC0GA1UEAxMm
VmVyaVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBIC0gRzMwHhcNMTUwNjI1
MDAwMDAwWhcNMTYwOTIzMjM1OTU5WjCBiDELMAkGA1UEBhMCVVMxEzARBgNVBAgT
CkNhbGlmb3JuaWExFzAVBgNVBAcUDlJlZHdvb2QgU2hvcmVzMRswGQYDVQQKFBJP
cmFjbGUgQ29ycG9yYXRpb24xDDAKBgNVBAsUA0NJVDEgMB4GA1UEAxQXKi5vcmFj
bGVvdXRzb3VyY2luZy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQDTDH4+V9VK1ri9uh5zFpV6+VzpIYQOEHmd4Rg68uS3lzMV/xD+HBVEkenarpVP
uXSQnlP79hguSWfOpX1LpNjHeiy68pWMLMUuXmZiXS8BI0ctyGYb7LntAsGe6Y0N
YTBybpxS8szLPXQ6u+wa+6dfHxswEY6CUc+4wFyFgAVqWaKOKoJwaIUd//BoaGMv
E2Jj4ygnesolWWdqTWURsFS3X08P0nNKbXMCQoMvSp3f3rS+p+q/xVXqfJuAo7wZ
yTEBkTxWI2wDnjyWw3hrkfuxrdrs0YhmddHtchNTt3if3Q1LerDOaR3Hhc+H9fVB
cZYgsuNmSABBqQ30T0B8ZSz1AgMBAAGjggGDMIIBfzA5BgNVHREEMjAwghcqLm9y
YWNsZW91dHNvdXJjaW5nLmNvbYIVb3JhY2xlb3V0c291cmNpbmcuY29tMAkGA1Ud
EwQCMAAwDgYDVR0PAQH/BAQDAgWgMCsGA1UdHwQkMCIwIKAeoByGGmh0dHA6Ly9z
ZC5zeW1jYi5jb20vc2QuY3JsMGEGA1UdIARaMFgwVgYGZ4EMAQICMEwwIwYIKwYB
BQUHAgEWF2h0dHBzOi8vZC5zeW1jYi5jb20vY3BzMCUGCCsGAQUFBwICMBkMF2h0
dHBzOi8vZC5zeW1jYi5jb20vcnBhMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF
BQcDAjAfBgNVHSMEGDAWgBQNRFwWU0TBgn4dIKsl9AFj2L55pTBXBggrBgEFBQcB
AQRLMEkwHwYIKwYBBQUHMAGGE2h0dHA6Ly9zZC5zeW1jZC5jb20wJgYIKwYBBQUH
MAKGGmh0dHA6Ly9zZC5zeW1jYi5jb20vc2QuY3J0MA0GCSqGSIb3DQEBBQUAA4IB
AQBrQknzr4wntvKOGc8YK6RfqaXS+r4XH34DlEPp2kFleNRaiJpo2DTVXr1a+WXQ
omrKl9j4Irbf0Jq4vI0XqYw5Ei8WsvqCMoFXqnCwY2MazYVHRF/IYvCWfjIcySGu
tR/RS+bvpN1+ATt8vNnW7imdca3LjkM0Fw2GVjmaX2CeINpCRkuQ/d28ob46o9D9
VF+/kjc2tVwfabQQCNykRlhYLJDmhKcVI5+swD10+JjddbSAsXpIQFy3FI77idvC
rngbwc0G36Rj3DvcoypUbXoFzsnisy58oieFWRzHPe9DVYh0o/uJj40NJDOLuyEA
EIV237/q67gIYEn6LM8CLah9
—–END CERTIFICATE—–
subject=/C=US/ST=California/L=City/O=Example Corporation/OU=CIT/CN=*.Example.com
issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA – G3

No client certificate CA names sent

SSL handshake has read 1547 bytes and written 591 bytes

New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : AES128-SHA
Session-ID: 6A6F797F1318E8462CBD4DD899493DB949E08F78A0505C4E70F9621ABB0AA280
Session-ID-ctx:
Master-Key: 50D309E782DF245FA36BD1028197459FE1A56B976D947D2994BBB75A0754D18AD44A90F29AC818DB28562F0E9E2E5442
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1439641898
Timeout : 300 (sec)
Verify return code: 0 (ok)