append crt

digicert/DigiCertHighAssuranceCA-3.crt
digicert/DigiCertSecureServerCA.crt
digicert/DigiCertHighAssuranceEVRootCA.crt

convert encoded .crt to plaintext .crt

openssl x509 -inform DES -in DigiCertHighAssuranceEVRootCA.crt -out DigiCertHighAssuranceEVRootCA.crt -text
openssl x509 -inform DES -in DigiCertSecureServerCA.crt -out DigiCertSecureServerCA.crt -text
openssl x509 -inform DES -in DigiCertHighAssuranceCA-3.crt -out DigiCertHighAssuranceCA-3.crt -text

curl facebook

curl https://facebook.com
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
More details here: http://curl.haxx.se/docs/sslcerts.html

grab the certs

cd ~/
mkdir digi
wget https://www.digicert.com/CACerts/DigiCertHighAssuranceEVRootCA.crt
wget https://www.digicert.com/CACerts/DigiCertSecureServerCA.crt
wget https://www.digicert.com/CACerts/DigiCertHighAssuranceCA-3.crt

move the certs

mkdir /usr/share/ca-certificates/digicert/
mv *.crt /usr/share/ca-certificates/digicert/

openssl s_client -connect facebook

openssl s_client -connect graph.facebook.com:443 -showcerts
CONNECTED(00000003)
depth=1 /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/C=US/ST=CA/L=Menlo Park/O=Facebook, Inc./CN=*.facebook.com
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3
-----BEGIN CERTIFICATE-----
REMOVED FOR BREVITY
-----END CERTIFICATE-----
 1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
-----BEGIN CERTIFICATE-----
REMOVED FOR BREVITY
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=CA/L=Menlo Park/O=Facebook, Inc./CN=*.facebook.com
issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3
---
No client certificate CA names sent
---
SSL handshake has read 3156 bytes and written 432 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-SHA
Server public key is 2048 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : RC4-SHA
    Session-ID: 2061D27CF6BEB5BFB7AE6C1016D94C621DA16E813056FCD8D0D1A425ABF5B328
    Session-ID-ctx:
    Master-Key: A3BDE7A1AFED3A78EE0829678AF4F9300882BCCC1474CE05F0FCD7177D8FCAD488F131B2B3768480CD6702E13FA7248B
    Key-Arg   : None
    Start Time: 1397486170
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---

Output from doctor

ruby doctor.rb
/usr/bin/ruby1.8 (1.8.6)
OpenSSL 0.9.8g 19 Oct 2007: /usr/lib/ssl
SSL_CERT_DIR=""
SSL_CERT_FILE=""
 
HEAD https://status.github.com:443
OpenSSL::SSL::SSLError: certificate verify failed
 
The server presented a certificate that could not be verified:
  subject: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA
  issuer: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
  error code 20: unable to get local issuer certificate

rehash

cd /etc/ssl
sudo c_rehash

successful ruby doctor

ruby doctor.rb
/usr/bin/ruby1.8 (1.8.6)
OpenSSL 0.9.8g 19 Oct 2007: /usr/lib/ssl
SSL_CERT_DIR=""
SSL_CERT_FILE=""

HEAD https://status.github.com:443

Update install packages

sudo apt-get update && sudo apt-get install

Using the doctor script

ruby doctor.rb facebook.com
ruby doctor.rb google.com