Adding a self-signed certificate to the âtrusted listâ
Clash Royale CLAN TAG#URR8PPP
up vote
69
down vote
favorite
I've generated a self-signed certificate for my build server and I'd like to globally trust the certificate on my machine, as I created the key myself and I'm sick of seeing warnings.
I'm on Ubuntu 12.04. How can I take the certificate and globally trust it so that browsers (Google Chrome), CLI utilities (wget, curl), and programming languages (Python, Java, etc.) trust the connection to https://mysite.com without asking questions?
ssl
add a comment |Â
up vote
69
down vote
favorite
I've generated a self-signed certificate for my build server and I'd like to globally trust the certificate on my machine, as I created the key myself and I'm sick of seeing warnings.
I'm on Ubuntu 12.04. How can I take the certificate and globally trust it so that browsers (Google Chrome), CLI utilities (wget, curl), and programming languages (Python, Java, etc.) trust the connection to https://mysite.com without asking questions?
ssl
All the TLS should be vectored through OpenSSL, so that's the place to look for documentation. In this case: gagravarr.org/writing/openssl-certs/⦠looks useful.
â msw
Sep 13 '13 at 2:06
add a comment |Â
up vote
69
down vote
favorite
up vote
69
down vote
favorite
I've generated a self-signed certificate for my build server and I'd like to globally trust the certificate on my machine, as I created the key myself and I'm sick of seeing warnings.
I'm on Ubuntu 12.04. How can I take the certificate and globally trust it so that browsers (Google Chrome), CLI utilities (wget, curl), and programming languages (Python, Java, etc.) trust the connection to https://mysite.com without asking questions?
ssl
I've generated a self-signed certificate for my build server and I'd like to globally trust the certificate on my machine, as I created the key myself and I'm sick of seeing warnings.
I'm on Ubuntu 12.04. How can I take the certificate and globally trust it so that browsers (Google Chrome), CLI utilities (wget, curl), and programming languages (Python, Java, etc.) trust the connection to https://mysite.com without asking questions?
ssl
ssl
asked Sep 12 '13 at 22:49
Naftuli Kay
11.7k53154247
11.7k53154247
All the TLS should be vectored through OpenSSL, so that's the place to look for documentation. In this case: gagravarr.org/writing/openssl-certs/⦠looks useful.
â msw
Sep 13 '13 at 2:06
add a comment |Â
All the TLS should be vectored through OpenSSL, so that's the place to look for documentation. In this case: gagravarr.org/writing/openssl-certs/⦠looks useful.
â msw
Sep 13 '13 at 2:06
All the TLS should be vectored through OpenSSL, so that's the place to look for documentation. In this case: gagravarr.org/writing/openssl-certs/⦠looks useful.
â msw
Sep 13 '13 at 2:06
All the TLS should be vectored through OpenSSL, so that's the place to look for documentation. In this case: gagravarr.org/writing/openssl-certs/⦠looks useful.
â msw
Sep 13 '13 at 2:06
add a comment |Â
5 Answers
5
active
oldest
votes
up vote
69
down vote
accepted
The simple answer to this is that pretty much each application will handle it differently.
Also OpenSSL and GNUTLS (the most widely used certificate processing libraries used to handle signed certificates) behave differently in their treatment of certs which also complicates the issue. Also operating systems utilize different mechanisms to utilize "root CA" used by most websites.
That aside, giving Debian as an example. Install the ca-certificates
package:
apt-get install ca-certificates
You then copy the public half of your untrusted CA certificate (the one you use to sign your CSR) into the CA certificate directory (as root):
cp cacert.pem /usr/share/ca-certificates
And get it to rebuild the directory with your certificate included, run as root:
dpkg-reconfigure ca-certificates
and select the ask
option, scroll to your certificate, mark it for inclusion and select ok.
Most browsers use their own CA database, and so tools like certutil
have to be used to modify their contents (on Debian that is provided by the libnss3-tools
package). For example, with Chrome you run something along the lines of:
certutil -d sql:$HOME/.pki/nssdb -A -t "C,," -n "My Homemade CA" -i /path/to/CA/cert.file
Firefox will allow you to browse to the certificate on disk, recognize it a certificate file and then allow you to import it to Root CA list.
Most other commands such as curl
take command line switches you can use to point at your CA,
curl --cacert /path/to/CA/cert.file https://...
or drop the SSL validation altogether
curl --insecure https://...
The rest will need individual investigation if the ca-certificates
like trick does not sort it for that particular application.
Also, as noted here, adding CA certificates for Java is likewise a separate matter.
â Naftuli Kay
Mar 28 '14 at 0:40
2
After copying the certificate to /usr/share/ca-certificates, I can't see it in thedpkg-reconfigure ca-certificates
list. What am I doing wrong?
â Georges Dupéron
Feb 17 '15 at 19:21
9
@GeorgesDupéron That happened to me to. I resolved it by renaming the cert fromwhatever.pem
towhatever.crt
.
â Hello World
Oct 3 '15 at 7:19
ref manuals.gfi.com/en/kerio/connect/content/server-configuration/â¦
â qxo
Jul 18 at 3:09
add a comment |Â
up vote
36
down vote
Non Interactive Approach
For use in a non-interactive context (e.g. a chef recipe) you can use the following sequence.
sudo cp my.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates
- Tested and works on debian 5/6 & Ubuntu 14.04.
- For more information, see
man update-ca-certificates
This method is preferred over @Drav's method, since /usr/share/
is typically reserved for files added by the OS / apt-get
.
3
It is better to copy the files to/usr/local/share/ca-certificates/
as mentioned in the man pages
â ortang
Feb 4 '16 at 10:20
FYI the A must be a.crt
, I found.cert
claimed it was added but did not help
â KCD
Dec 13 '16 at 3:53
add a comment |Â
up vote
6
down vote
On Fedora 23, add the .pem or .der file to /etc/pki/ca-trust/source/anchors/
and run sudo update-ca-trust extract
.
See man update-ca-trust
for details, e.g. whether to use /etc or /usr.
add a comment |Â
up vote
1
down vote
In centos:
cp *.pem /etc/pki/ca-trust/source/anchors/
update-ca-trust extract
When I doopenssl connect
should I be specifying this /anchors folder? I'm still getting an error "self signed certs
â Janac Meena
Jul 13 at 13:52
add a comment |Â
up vote
0
down vote
Non Interactive Approach (Oct'18)
for recent debian based systems
The approach of just copying a cert file and calling update-ca-certificate
isn't working anymore. There's a distinction between adding a cert to the host's store and activating it so that applications really utilize those. An existing cert in the store isn't necessarily used (although i have to admit that still a lot of packages are getting it wrong anyway)
This can get confusing when you setup a package which considers /etc/ca-certificate.conf
and simply refuses to use your cert although it has been added without error.
You need to tell update-ca-certificates
explicitly to (not just copy but) activate the cert by adding it to /etc/ca-certificate.conf
.
#!/bin/bash
CERT=mycert.crt
cp /mypath/to/$CERT /usr/local/share/ca-certificates/$CERT
# notice the + sign which tells to activate the cert!!!
echo "+$CERT" >/etc/ca-certificates/update.d/activate_my_cert
update-ca-certificates;
By the way, activating a cert is exactly what dpkg-reconfigure ca-certificates
is doing.
add a comment |Â
5 Answers
5
active
oldest
votes
5 Answers
5
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
69
down vote
accepted
The simple answer to this is that pretty much each application will handle it differently.
Also OpenSSL and GNUTLS (the most widely used certificate processing libraries used to handle signed certificates) behave differently in their treatment of certs which also complicates the issue. Also operating systems utilize different mechanisms to utilize "root CA" used by most websites.
That aside, giving Debian as an example. Install the ca-certificates
package:
apt-get install ca-certificates
You then copy the public half of your untrusted CA certificate (the one you use to sign your CSR) into the CA certificate directory (as root):
cp cacert.pem /usr/share/ca-certificates
And get it to rebuild the directory with your certificate included, run as root:
dpkg-reconfigure ca-certificates
and select the ask
option, scroll to your certificate, mark it for inclusion and select ok.
Most browsers use their own CA database, and so tools like certutil
have to be used to modify their contents (on Debian that is provided by the libnss3-tools
package). For example, with Chrome you run something along the lines of:
certutil -d sql:$HOME/.pki/nssdb -A -t "C,," -n "My Homemade CA" -i /path/to/CA/cert.file
Firefox will allow you to browse to the certificate on disk, recognize it a certificate file and then allow you to import it to Root CA list.
Most other commands such as curl
take command line switches you can use to point at your CA,
curl --cacert /path/to/CA/cert.file https://...
or drop the SSL validation altogether
curl --insecure https://...
The rest will need individual investigation if the ca-certificates
like trick does not sort it for that particular application.
Also, as noted here, adding CA certificates for Java is likewise a separate matter.
â Naftuli Kay
Mar 28 '14 at 0:40
2
After copying the certificate to /usr/share/ca-certificates, I can't see it in thedpkg-reconfigure ca-certificates
list. What am I doing wrong?
â Georges Dupéron
Feb 17 '15 at 19:21
9
@GeorgesDupéron That happened to me to. I resolved it by renaming the cert fromwhatever.pem
towhatever.crt
.
â Hello World
Oct 3 '15 at 7:19
ref manuals.gfi.com/en/kerio/connect/content/server-configuration/â¦
â qxo
Jul 18 at 3:09
add a comment |Â
up vote
69
down vote
accepted
The simple answer to this is that pretty much each application will handle it differently.
Also OpenSSL and GNUTLS (the most widely used certificate processing libraries used to handle signed certificates) behave differently in their treatment of certs which also complicates the issue. Also operating systems utilize different mechanisms to utilize "root CA" used by most websites.
That aside, giving Debian as an example. Install the ca-certificates
package:
apt-get install ca-certificates
You then copy the public half of your untrusted CA certificate (the one you use to sign your CSR) into the CA certificate directory (as root):
cp cacert.pem /usr/share/ca-certificates
And get it to rebuild the directory with your certificate included, run as root:
dpkg-reconfigure ca-certificates
and select the ask
option, scroll to your certificate, mark it for inclusion and select ok.
Most browsers use their own CA database, and so tools like certutil
have to be used to modify their contents (on Debian that is provided by the libnss3-tools
package). For example, with Chrome you run something along the lines of:
certutil -d sql:$HOME/.pki/nssdb -A -t "C,," -n "My Homemade CA" -i /path/to/CA/cert.file
Firefox will allow you to browse to the certificate on disk, recognize it a certificate file and then allow you to import it to Root CA list.
Most other commands such as curl
take command line switches you can use to point at your CA,
curl --cacert /path/to/CA/cert.file https://...
or drop the SSL validation altogether
curl --insecure https://...
The rest will need individual investigation if the ca-certificates
like trick does not sort it for that particular application.
Also, as noted here, adding CA certificates for Java is likewise a separate matter.
â Naftuli Kay
Mar 28 '14 at 0:40
2
After copying the certificate to /usr/share/ca-certificates, I can't see it in thedpkg-reconfigure ca-certificates
list. What am I doing wrong?
â Georges Dupéron
Feb 17 '15 at 19:21
9
@GeorgesDupéron That happened to me to. I resolved it by renaming the cert fromwhatever.pem
towhatever.crt
.
â Hello World
Oct 3 '15 at 7:19
ref manuals.gfi.com/en/kerio/connect/content/server-configuration/â¦
â qxo
Jul 18 at 3:09
add a comment |Â
up vote
69
down vote
accepted
up vote
69
down vote
accepted
The simple answer to this is that pretty much each application will handle it differently.
Also OpenSSL and GNUTLS (the most widely used certificate processing libraries used to handle signed certificates) behave differently in their treatment of certs which also complicates the issue. Also operating systems utilize different mechanisms to utilize "root CA" used by most websites.
That aside, giving Debian as an example. Install the ca-certificates
package:
apt-get install ca-certificates
You then copy the public half of your untrusted CA certificate (the one you use to sign your CSR) into the CA certificate directory (as root):
cp cacert.pem /usr/share/ca-certificates
And get it to rebuild the directory with your certificate included, run as root:
dpkg-reconfigure ca-certificates
and select the ask
option, scroll to your certificate, mark it for inclusion and select ok.
Most browsers use their own CA database, and so tools like certutil
have to be used to modify their contents (on Debian that is provided by the libnss3-tools
package). For example, with Chrome you run something along the lines of:
certutil -d sql:$HOME/.pki/nssdb -A -t "C,," -n "My Homemade CA" -i /path/to/CA/cert.file
Firefox will allow you to browse to the certificate on disk, recognize it a certificate file and then allow you to import it to Root CA list.
Most other commands such as curl
take command line switches you can use to point at your CA,
curl --cacert /path/to/CA/cert.file https://...
or drop the SSL validation altogether
curl --insecure https://...
The rest will need individual investigation if the ca-certificates
like trick does not sort it for that particular application.
The simple answer to this is that pretty much each application will handle it differently.
Also OpenSSL and GNUTLS (the most widely used certificate processing libraries used to handle signed certificates) behave differently in their treatment of certs which also complicates the issue. Also operating systems utilize different mechanisms to utilize "root CA" used by most websites.
That aside, giving Debian as an example. Install the ca-certificates
package:
apt-get install ca-certificates
You then copy the public half of your untrusted CA certificate (the one you use to sign your CSR) into the CA certificate directory (as root):
cp cacert.pem /usr/share/ca-certificates
And get it to rebuild the directory with your certificate included, run as root:
dpkg-reconfigure ca-certificates
and select the ask
option, scroll to your certificate, mark it for inclusion and select ok.
Most browsers use their own CA database, and so tools like certutil
have to be used to modify their contents (on Debian that is provided by the libnss3-tools
package). For example, with Chrome you run something along the lines of:
certutil -d sql:$HOME/.pki/nssdb -A -t "C,," -n "My Homemade CA" -i /path/to/CA/cert.file
Firefox will allow you to browse to the certificate on disk, recognize it a certificate file and then allow you to import it to Root CA list.
Most other commands such as curl
take command line switches you can use to point at your CA,
curl --cacert /path/to/CA/cert.file https://...
or drop the SSL validation altogether
curl --insecure https://...
The rest will need individual investigation if the ca-certificates
like trick does not sort it for that particular application.
answered Sep 14 '13 at 5:42
Drav Sloan
9,26023038
9,26023038
Also, as noted here, adding CA certificates for Java is likewise a separate matter.
â Naftuli Kay
Mar 28 '14 at 0:40
2
After copying the certificate to /usr/share/ca-certificates, I can't see it in thedpkg-reconfigure ca-certificates
list. What am I doing wrong?
â Georges Dupéron
Feb 17 '15 at 19:21
9
@GeorgesDupéron That happened to me to. I resolved it by renaming the cert fromwhatever.pem
towhatever.crt
.
â Hello World
Oct 3 '15 at 7:19
ref manuals.gfi.com/en/kerio/connect/content/server-configuration/â¦
â qxo
Jul 18 at 3:09
add a comment |Â
Also, as noted here, adding CA certificates for Java is likewise a separate matter.
â Naftuli Kay
Mar 28 '14 at 0:40
2
After copying the certificate to /usr/share/ca-certificates, I can't see it in thedpkg-reconfigure ca-certificates
list. What am I doing wrong?
â Georges Dupéron
Feb 17 '15 at 19:21
9
@GeorgesDupéron That happened to me to. I resolved it by renaming the cert fromwhatever.pem
towhatever.crt
.
â Hello World
Oct 3 '15 at 7:19
ref manuals.gfi.com/en/kerio/connect/content/server-configuration/â¦
â qxo
Jul 18 at 3:09
Also, as noted here, adding CA certificates for Java is likewise a separate matter.
â Naftuli Kay
Mar 28 '14 at 0:40
Also, as noted here, adding CA certificates for Java is likewise a separate matter.
â Naftuli Kay
Mar 28 '14 at 0:40
2
2
After copying the certificate to /usr/share/ca-certificates, I can't see it in the
dpkg-reconfigure ca-certificates
list. What am I doing wrong?â Georges Dupéron
Feb 17 '15 at 19:21
After copying the certificate to /usr/share/ca-certificates, I can't see it in the
dpkg-reconfigure ca-certificates
list. What am I doing wrong?â Georges Dupéron
Feb 17 '15 at 19:21
9
9
@GeorgesDupéron That happened to me to. I resolved it by renaming the cert from
whatever.pem
to whatever.crt
.â Hello World
Oct 3 '15 at 7:19
@GeorgesDupéron That happened to me to. I resolved it by renaming the cert from
whatever.pem
to whatever.crt
.â Hello World
Oct 3 '15 at 7:19
ref manuals.gfi.com/en/kerio/connect/content/server-configuration/â¦
â qxo
Jul 18 at 3:09
ref manuals.gfi.com/en/kerio/connect/content/server-configuration/â¦
â qxo
Jul 18 at 3:09
add a comment |Â
up vote
36
down vote
Non Interactive Approach
For use in a non-interactive context (e.g. a chef recipe) you can use the following sequence.
sudo cp my.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates
- Tested and works on debian 5/6 & Ubuntu 14.04.
- For more information, see
man update-ca-certificates
This method is preferred over @Drav's method, since /usr/share/
is typically reserved for files added by the OS / apt-get
.
3
It is better to copy the files to/usr/local/share/ca-certificates/
as mentioned in the man pages
â ortang
Feb 4 '16 at 10:20
FYI the A must be a.crt
, I found.cert
claimed it was added but did not help
â KCD
Dec 13 '16 at 3:53
add a comment |Â
up vote
36
down vote
Non Interactive Approach
For use in a non-interactive context (e.g. a chef recipe) you can use the following sequence.
sudo cp my.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates
- Tested and works on debian 5/6 & Ubuntu 14.04.
- For more information, see
man update-ca-certificates
This method is preferred over @Drav's method, since /usr/share/
is typically reserved for files added by the OS / apt-get
.
3
It is better to copy the files to/usr/local/share/ca-certificates/
as mentioned in the man pages
â ortang
Feb 4 '16 at 10:20
FYI the A must be a.crt
, I found.cert
claimed it was added but did not help
â KCD
Dec 13 '16 at 3:53
add a comment |Â
up vote
36
down vote
up vote
36
down vote
Non Interactive Approach
For use in a non-interactive context (e.g. a chef recipe) you can use the following sequence.
sudo cp my.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates
- Tested and works on debian 5/6 & Ubuntu 14.04.
- For more information, see
man update-ca-certificates
This method is preferred over @Drav's method, since /usr/share/
is typically reserved for files added by the OS / apt-get
.
Non Interactive Approach
For use in a non-interactive context (e.g. a chef recipe) you can use the following sequence.
sudo cp my.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates
- Tested and works on debian 5/6 & Ubuntu 14.04.
- For more information, see
man update-ca-certificates
This method is preferred over @Drav's method, since /usr/share/
is typically reserved for files added by the OS / apt-get
.
edited Dec 9 '16 at 23:37
BobTuckerman
1033
1033
answered May 27 '14 at 9:07
oDDsKooL
46144
46144
3
It is better to copy the files to/usr/local/share/ca-certificates/
as mentioned in the man pages
â ortang
Feb 4 '16 at 10:20
FYI the A must be a.crt
, I found.cert
claimed it was added but did not help
â KCD
Dec 13 '16 at 3:53
add a comment |Â
3
It is better to copy the files to/usr/local/share/ca-certificates/
as mentioned in the man pages
â ortang
Feb 4 '16 at 10:20
FYI the A must be a.crt
, I found.cert
claimed it was added but did not help
â KCD
Dec 13 '16 at 3:53
3
3
It is better to copy the files to
/usr/local/share/ca-certificates/
as mentioned in the man pagesâ ortang
Feb 4 '16 at 10:20
It is better to copy the files to
/usr/local/share/ca-certificates/
as mentioned in the man pagesâ ortang
Feb 4 '16 at 10:20
FYI the A must be a
.crt
, I found .cert
claimed it was added but did not helpâ KCD
Dec 13 '16 at 3:53
FYI the A must be a
.crt
, I found .cert
claimed it was added but did not helpâ KCD
Dec 13 '16 at 3:53
add a comment |Â
up vote
6
down vote
On Fedora 23, add the .pem or .der file to /etc/pki/ca-trust/source/anchors/
and run sudo update-ca-trust extract
.
See man update-ca-trust
for details, e.g. whether to use /etc or /usr.
add a comment |Â
up vote
6
down vote
On Fedora 23, add the .pem or .der file to /etc/pki/ca-trust/source/anchors/
and run sudo update-ca-trust extract
.
See man update-ca-trust
for details, e.g. whether to use /etc or /usr.
add a comment |Â
up vote
6
down vote
up vote
6
down vote
On Fedora 23, add the .pem or .der file to /etc/pki/ca-trust/source/anchors/
and run sudo update-ca-trust extract
.
See man update-ca-trust
for details, e.g. whether to use /etc or /usr.
On Fedora 23, add the .pem or .der file to /etc/pki/ca-trust/source/anchors/
and run sudo update-ca-trust extract
.
See man update-ca-trust
for details, e.g. whether to use /etc or /usr.
answered Mar 20 '16 at 16:43
user7610
4081717
4081717
add a comment |Â
add a comment |Â
up vote
1
down vote
In centos:
cp *.pem /etc/pki/ca-trust/source/anchors/
update-ca-trust extract
When I doopenssl connect
should I be specifying this /anchors folder? I'm still getting an error "self signed certs
â Janac Meena
Jul 13 at 13:52
add a comment |Â
up vote
1
down vote
In centos:
cp *.pem /etc/pki/ca-trust/source/anchors/
update-ca-trust extract
When I doopenssl connect
should I be specifying this /anchors folder? I'm still getting an error "self signed certs
â Janac Meena
Jul 13 at 13:52
add a comment |Â
up vote
1
down vote
up vote
1
down vote
In centos:
cp *.pem /etc/pki/ca-trust/source/anchors/
update-ca-trust extract
In centos:
cp *.pem /etc/pki/ca-trust/source/anchors/
update-ca-trust extract
answered Apr 19 at 10:58
dragonfly
112
112
When I doopenssl connect
should I be specifying this /anchors folder? I'm still getting an error "self signed certs
â Janac Meena
Jul 13 at 13:52
add a comment |Â
When I doopenssl connect
should I be specifying this /anchors folder? I'm still getting an error "self signed certs
â Janac Meena
Jul 13 at 13:52
When I do
openssl connect
should I be specifying this /anchors folder? I'm still getting an error "self signed certs
â Janac Meena
Jul 13 at 13:52
When I do
openssl connect
should I be specifying this /anchors folder? I'm still getting an error "self signed certs
â Janac Meena
Jul 13 at 13:52
add a comment |Â
up vote
0
down vote
Non Interactive Approach (Oct'18)
for recent debian based systems
The approach of just copying a cert file and calling update-ca-certificate
isn't working anymore. There's a distinction between adding a cert to the host's store and activating it so that applications really utilize those. An existing cert in the store isn't necessarily used (although i have to admit that still a lot of packages are getting it wrong anyway)
This can get confusing when you setup a package which considers /etc/ca-certificate.conf
and simply refuses to use your cert although it has been added without error.
You need to tell update-ca-certificates
explicitly to (not just copy but) activate the cert by adding it to /etc/ca-certificate.conf
.
#!/bin/bash
CERT=mycert.crt
cp /mypath/to/$CERT /usr/local/share/ca-certificates/$CERT
# notice the + sign which tells to activate the cert!!!
echo "+$CERT" >/etc/ca-certificates/update.d/activate_my_cert
update-ca-certificates;
By the way, activating a cert is exactly what dpkg-reconfigure ca-certificates
is doing.
add a comment |Â
up vote
0
down vote
Non Interactive Approach (Oct'18)
for recent debian based systems
The approach of just copying a cert file and calling update-ca-certificate
isn't working anymore. There's a distinction between adding a cert to the host's store and activating it so that applications really utilize those. An existing cert in the store isn't necessarily used (although i have to admit that still a lot of packages are getting it wrong anyway)
This can get confusing when you setup a package which considers /etc/ca-certificate.conf
and simply refuses to use your cert although it has been added without error.
You need to tell update-ca-certificates
explicitly to (not just copy but) activate the cert by adding it to /etc/ca-certificate.conf
.
#!/bin/bash
CERT=mycert.crt
cp /mypath/to/$CERT /usr/local/share/ca-certificates/$CERT
# notice the + sign which tells to activate the cert!!!
echo "+$CERT" >/etc/ca-certificates/update.d/activate_my_cert
update-ca-certificates;
By the way, activating a cert is exactly what dpkg-reconfigure ca-certificates
is doing.
add a comment |Â
up vote
0
down vote
up vote
0
down vote
Non Interactive Approach (Oct'18)
for recent debian based systems
The approach of just copying a cert file and calling update-ca-certificate
isn't working anymore. There's a distinction between adding a cert to the host's store and activating it so that applications really utilize those. An existing cert in the store isn't necessarily used (although i have to admit that still a lot of packages are getting it wrong anyway)
This can get confusing when you setup a package which considers /etc/ca-certificate.conf
and simply refuses to use your cert although it has been added without error.
You need to tell update-ca-certificates
explicitly to (not just copy but) activate the cert by adding it to /etc/ca-certificate.conf
.
#!/bin/bash
CERT=mycert.crt
cp /mypath/to/$CERT /usr/local/share/ca-certificates/$CERT
# notice the + sign which tells to activate the cert!!!
echo "+$CERT" >/etc/ca-certificates/update.d/activate_my_cert
update-ca-certificates;
By the way, activating a cert is exactly what dpkg-reconfigure ca-certificates
is doing.
Non Interactive Approach (Oct'18)
for recent debian based systems
The approach of just copying a cert file and calling update-ca-certificate
isn't working anymore. There's a distinction between adding a cert to the host's store and activating it so that applications really utilize those. An existing cert in the store isn't necessarily used (although i have to admit that still a lot of packages are getting it wrong anyway)
This can get confusing when you setup a package which considers /etc/ca-certificate.conf
and simply refuses to use your cert although it has been added without error.
You need to tell update-ca-certificates
explicitly to (not just copy but) activate the cert by adding it to /etc/ca-certificate.conf
.
#!/bin/bash
CERT=mycert.crt
cp /mypath/to/$CERT /usr/local/share/ca-certificates/$CERT
# notice the + sign which tells to activate the cert!!!
echo "+$CERT" >/etc/ca-certificates/update.d/activate_my_cert
update-ca-certificates;
By the way, activating a cert is exactly what dpkg-reconfigure ca-certificates
is doing.
edited yesterday
answered yesterday
3ronco
1314
1314
add a comment |Â
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f90450%2fadding-a-self-signed-certificate-to-the-trusted-list%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
All the TLS should be vectored through OpenSSL, so that's the place to look for documentation. In this case: gagravarr.org/writing/openssl-certs/⦠looks useful.
â msw
Sep 13 '13 at 2:06