Adding a self-signed certificate to the “trusted list”

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
69
down vote

favorite
28












I've generated a self-signed certificate for my build server and I'd like to globally trust the certificate on my machine, as I created the key myself and I'm sick of seeing warnings.



I'm on Ubuntu 12.04. How can I take the certificate and globally trust it so that browsers (Google Chrome), CLI utilities (wget, curl), and programming languages (Python, Java, etc.) trust the connection to https://mysite.com without asking questions?










share|improve this question





















  • All the TLS should be vectored through OpenSSL, so that's the place to look for documentation. In this case: gagravarr.org/writing/openssl-certs/… looks useful.
    – msw
    Sep 13 '13 at 2:06















up vote
69
down vote

favorite
28












I've generated a self-signed certificate for my build server and I'd like to globally trust the certificate on my machine, as I created the key myself and I'm sick of seeing warnings.



I'm on Ubuntu 12.04. How can I take the certificate and globally trust it so that browsers (Google Chrome), CLI utilities (wget, curl), and programming languages (Python, Java, etc.) trust the connection to https://mysite.com without asking questions?










share|improve this question





















  • All the TLS should be vectored through OpenSSL, so that's the place to look for documentation. In this case: gagravarr.org/writing/openssl-certs/… looks useful.
    – msw
    Sep 13 '13 at 2:06













up vote
69
down vote

favorite
28









up vote
69
down vote

favorite
28






28





I've generated a self-signed certificate for my build server and I'd like to globally trust the certificate on my machine, as I created the key myself and I'm sick of seeing warnings.



I'm on Ubuntu 12.04. How can I take the certificate and globally trust it so that browsers (Google Chrome), CLI utilities (wget, curl), and programming languages (Python, Java, etc.) trust the connection to https://mysite.com without asking questions?










share|improve this question













I've generated a self-signed certificate for my build server and I'd like to globally trust the certificate on my machine, as I created the key myself and I'm sick of seeing warnings.



I'm on Ubuntu 12.04. How can I take the certificate and globally trust it so that browsers (Google Chrome), CLI utilities (wget, curl), and programming languages (Python, Java, etc.) trust the connection to https://mysite.com without asking questions?







ssl






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Sep 12 '13 at 22:49









Naftuli Kay

11.7k53154247




11.7k53154247











  • All the TLS should be vectored through OpenSSL, so that's the place to look for documentation. In this case: gagravarr.org/writing/openssl-certs/… looks useful.
    – msw
    Sep 13 '13 at 2:06

















  • All the TLS should be vectored through OpenSSL, so that's the place to look for documentation. In this case: gagravarr.org/writing/openssl-certs/… looks useful.
    – msw
    Sep 13 '13 at 2:06
















All the TLS should be vectored through OpenSSL, so that's the place to look for documentation. In this case: gagravarr.org/writing/openssl-certs/… looks useful.
– msw
Sep 13 '13 at 2:06





All the TLS should be vectored through OpenSSL, so that's the place to look for documentation. In this case: gagravarr.org/writing/openssl-certs/… looks useful.
– msw
Sep 13 '13 at 2:06











5 Answers
5






active

oldest

votes

















up vote
69
down vote



accepted










The simple answer to this is that pretty much each application will handle it differently.



Also OpenSSL and GNUTLS (the most widely used certificate processing libraries used to handle signed certificates) behave differently in their treatment of certs which also complicates the issue. Also operating systems utilize different mechanisms to utilize "root CA" used by most websites.



That aside, giving Debian as an example. Install the ca-certificates package:



apt-get install ca-certificates


You then copy the public half of your untrusted CA certificate (the one you use to sign your CSR) into the CA certificate directory (as root):



cp cacert.pem /usr/share/ca-certificates


And get it to rebuild the directory with your certificate included, run as root:



dpkg-reconfigure ca-certificates


and select the ask option, scroll to your certificate, mark it for inclusion and select ok.



Most browsers use their own CA database, and so tools like certutil have to be used to modify their contents (on Debian that is provided by the libnss3-tools package). For example, with Chrome you run something along the lines of:



certutil -d sql:$HOME/.pki/nssdb -A -t "C,," -n "My Homemade CA" -i /path/to/CA/cert.file


Firefox will allow you to browse to the certificate on disk, recognize it a certificate file and then allow you to import it to Root CA list.



Most other commands such as curl take command line switches you can use to point at your CA,



 curl --cacert /path/to/CA/cert.file https://...


or drop the SSL validation altogether



 curl --insecure https://...


The rest will need individual investigation if the ca-certificates like trick does not sort it for that particular application.






share|improve this answer




















  • Also, as noted here, adding CA certificates for Java is likewise a separate matter.
    – Naftuli Kay
    Mar 28 '14 at 0:40






  • 2




    After copying the certificate to /usr/share/ca-certificates, I can't see it in the dpkg-reconfigure ca-certificates list. What am I doing wrong?
    – Georges Dupéron
    Feb 17 '15 at 19:21






  • 9




    @GeorgesDupéron That happened to me to. I resolved it by renaming the cert from whatever.pem to whatever.crt.
    – Hello World
    Oct 3 '15 at 7:19











  • ref manuals.gfi.com/en/kerio/connect/content/server-configuration/…
    – qxo
    Jul 18 at 3:09

















up vote
36
down vote













Non Interactive Approach



For use in a non-interactive context (e.g. a chef recipe) you can use the following sequence.



sudo cp my.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates


  • Tested and works on debian 5/6 & Ubuntu 14.04.

  • For more information, see man update-ca-certificates

This method is preferred over @Drav's method, since /usr/share/ is typically reserved for files added by the OS / apt-get.






share|improve this answer


















  • 3




    It is better to copy the files to /usr/local/share/ca-certificates/ as mentioned in the man pages
    – ortang
    Feb 4 '16 at 10:20










  • FYI the A must be a .crt, I found .cert claimed it was added but did not help
    – KCD
    Dec 13 '16 at 3:53

















up vote
6
down vote













On Fedora 23, add the .pem or .der file to /etc/pki/ca-trust/source/anchors/ and run sudo update-ca-trust extract.



See man update-ca-trust for details, e.g. whether to use /etc or /usr.






share|improve this answer



























    up vote
    1
    down vote













    In centos:



    cp *.pem /etc/pki/ca-trust/source/anchors/
    update-ca-trust extract





    share|improve this answer




















    • When I do openssl connect should I be specifying this /anchors folder? I'm still getting an error "self signed certs
      – Janac Meena
      Jul 13 at 13:52

















    up vote
    0
    down vote













    Non Interactive Approach (Oct'18)

    for recent debian based systems



    The approach of just copying a cert file and calling update-ca-certificate isn't working anymore. There's a distinction between adding a cert to the host's store and activating it so that applications really utilize those. An existing cert in the store isn't necessarily used (although i have to admit that still a lot of packages are getting it wrong anyway)

    This can get confusing when you setup a package which considers /etc/ca-certificate.conf and simply refuses to use your cert although it has been added without error.
    You need to tell update-ca-certificates explicitly to (not just copy but) activate the cert by adding it to /etc/ca-certificate.conf.



    #!/bin/bash

    CERT=mycert.crt
    cp /mypath/to/$CERT /usr/local/share/ca-certificates/$CERT
    # notice the + sign which tells to activate the cert!!!
    echo "+$CERT" >/etc/ca-certificates/update.d/activate_my_cert
    update-ca-certificates;


    By the way, activating a cert is exactly what dpkg-reconfigure ca-certificates is doing.






    share|improve this answer






















      Your Answer







      StackExchange.ready(function()
      var channelOptions =
      tags: "".split(" "),
      id: "106"
      ;
      initTagRenderer("".split(" "), "".split(" "), channelOptions);

      StackExchange.using("externalEditor", function()
      // Have to fire editor after snippets, if snippets enabled
      if (StackExchange.settings.snippets.snippetsEnabled)
      StackExchange.using("snippets", function()
      createEditor();
      );

      else
      createEditor();

      );

      function createEditor()
      StackExchange.prepareEditor(
      heartbeatType: 'answer',
      convertImagesToLinks: false,
      noModals: false,
      showLowRepImageUploadWarning: true,
      reputationToPostImages: null,
      bindNavPrevention: true,
      postfix: "",
      onDemand: true,
      discardSelector: ".discard-answer"
      ,immediatelyShowMarkdownHelp:true
      );



      );













       

      draft saved


      draft discarded


















      StackExchange.ready(
      function ()
      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f90450%2fadding-a-self-signed-certificate-to-the-trusted-list%23new-answer', 'question_page');

      );

      Post as a guest






























      5 Answers
      5






      active

      oldest

      votes








      5 Answers
      5






      active

      oldest

      votes









      active

      oldest

      votes






      active

      oldest

      votes








      up vote
      69
      down vote



      accepted










      The simple answer to this is that pretty much each application will handle it differently.



      Also OpenSSL and GNUTLS (the most widely used certificate processing libraries used to handle signed certificates) behave differently in their treatment of certs which also complicates the issue. Also operating systems utilize different mechanisms to utilize "root CA" used by most websites.



      That aside, giving Debian as an example. Install the ca-certificates package:



      apt-get install ca-certificates


      You then copy the public half of your untrusted CA certificate (the one you use to sign your CSR) into the CA certificate directory (as root):



      cp cacert.pem /usr/share/ca-certificates


      And get it to rebuild the directory with your certificate included, run as root:



      dpkg-reconfigure ca-certificates


      and select the ask option, scroll to your certificate, mark it for inclusion and select ok.



      Most browsers use their own CA database, and so tools like certutil have to be used to modify their contents (on Debian that is provided by the libnss3-tools package). For example, with Chrome you run something along the lines of:



      certutil -d sql:$HOME/.pki/nssdb -A -t "C,," -n "My Homemade CA" -i /path/to/CA/cert.file


      Firefox will allow you to browse to the certificate on disk, recognize it a certificate file and then allow you to import it to Root CA list.



      Most other commands such as curl take command line switches you can use to point at your CA,



       curl --cacert /path/to/CA/cert.file https://...


      or drop the SSL validation altogether



       curl --insecure https://...


      The rest will need individual investigation if the ca-certificates like trick does not sort it for that particular application.






      share|improve this answer




















      • Also, as noted here, adding CA certificates for Java is likewise a separate matter.
        – Naftuli Kay
        Mar 28 '14 at 0:40






      • 2




        After copying the certificate to /usr/share/ca-certificates, I can't see it in the dpkg-reconfigure ca-certificates list. What am I doing wrong?
        – Georges Dupéron
        Feb 17 '15 at 19:21






      • 9




        @GeorgesDupéron That happened to me to. I resolved it by renaming the cert from whatever.pem to whatever.crt.
        – Hello World
        Oct 3 '15 at 7:19











      • ref manuals.gfi.com/en/kerio/connect/content/server-configuration/…
        – qxo
        Jul 18 at 3:09














      up vote
      69
      down vote



      accepted










      The simple answer to this is that pretty much each application will handle it differently.



      Also OpenSSL and GNUTLS (the most widely used certificate processing libraries used to handle signed certificates) behave differently in their treatment of certs which also complicates the issue. Also operating systems utilize different mechanisms to utilize "root CA" used by most websites.



      That aside, giving Debian as an example. Install the ca-certificates package:



      apt-get install ca-certificates


      You then copy the public half of your untrusted CA certificate (the one you use to sign your CSR) into the CA certificate directory (as root):



      cp cacert.pem /usr/share/ca-certificates


      And get it to rebuild the directory with your certificate included, run as root:



      dpkg-reconfigure ca-certificates


      and select the ask option, scroll to your certificate, mark it for inclusion and select ok.



      Most browsers use their own CA database, and so tools like certutil have to be used to modify their contents (on Debian that is provided by the libnss3-tools package). For example, with Chrome you run something along the lines of:



      certutil -d sql:$HOME/.pki/nssdb -A -t "C,," -n "My Homemade CA" -i /path/to/CA/cert.file


      Firefox will allow you to browse to the certificate on disk, recognize it a certificate file and then allow you to import it to Root CA list.



      Most other commands such as curl take command line switches you can use to point at your CA,



       curl --cacert /path/to/CA/cert.file https://...


      or drop the SSL validation altogether



       curl --insecure https://...


      The rest will need individual investigation if the ca-certificates like trick does not sort it for that particular application.






      share|improve this answer




















      • Also, as noted here, adding CA certificates for Java is likewise a separate matter.
        – Naftuli Kay
        Mar 28 '14 at 0:40






      • 2




        After copying the certificate to /usr/share/ca-certificates, I can't see it in the dpkg-reconfigure ca-certificates list. What am I doing wrong?
        – Georges Dupéron
        Feb 17 '15 at 19:21






      • 9




        @GeorgesDupéron That happened to me to. I resolved it by renaming the cert from whatever.pem to whatever.crt.
        – Hello World
        Oct 3 '15 at 7:19











      • ref manuals.gfi.com/en/kerio/connect/content/server-configuration/…
        – qxo
        Jul 18 at 3:09












      up vote
      69
      down vote



      accepted







      up vote
      69
      down vote



      accepted






      The simple answer to this is that pretty much each application will handle it differently.



      Also OpenSSL and GNUTLS (the most widely used certificate processing libraries used to handle signed certificates) behave differently in their treatment of certs which also complicates the issue. Also operating systems utilize different mechanisms to utilize "root CA" used by most websites.



      That aside, giving Debian as an example. Install the ca-certificates package:



      apt-get install ca-certificates


      You then copy the public half of your untrusted CA certificate (the one you use to sign your CSR) into the CA certificate directory (as root):



      cp cacert.pem /usr/share/ca-certificates


      And get it to rebuild the directory with your certificate included, run as root:



      dpkg-reconfigure ca-certificates


      and select the ask option, scroll to your certificate, mark it for inclusion and select ok.



      Most browsers use their own CA database, and so tools like certutil have to be used to modify their contents (on Debian that is provided by the libnss3-tools package). For example, with Chrome you run something along the lines of:



      certutil -d sql:$HOME/.pki/nssdb -A -t "C,," -n "My Homemade CA" -i /path/to/CA/cert.file


      Firefox will allow you to browse to the certificate on disk, recognize it a certificate file and then allow you to import it to Root CA list.



      Most other commands such as curl take command line switches you can use to point at your CA,



       curl --cacert /path/to/CA/cert.file https://...


      or drop the SSL validation altogether



       curl --insecure https://...


      The rest will need individual investigation if the ca-certificates like trick does not sort it for that particular application.






      share|improve this answer












      The simple answer to this is that pretty much each application will handle it differently.



      Also OpenSSL and GNUTLS (the most widely used certificate processing libraries used to handle signed certificates) behave differently in their treatment of certs which also complicates the issue. Also operating systems utilize different mechanisms to utilize "root CA" used by most websites.



      That aside, giving Debian as an example. Install the ca-certificates package:



      apt-get install ca-certificates


      You then copy the public half of your untrusted CA certificate (the one you use to sign your CSR) into the CA certificate directory (as root):



      cp cacert.pem /usr/share/ca-certificates


      And get it to rebuild the directory with your certificate included, run as root:



      dpkg-reconfigure ca-certificates


      and select the ask option, scroll to your certificate, mark it for inclusion and select ok.



      Most browsers use their own CA database, and so tools like certutil have to be used to modify their contents (on Debian that is provided by the libnss3-tools package). For example, with Chrome you run something along the lines of:



      certutil -d sql:$HOME/.pki/nssdb -A -t "C,," -n "My Homemade CA" -i /path/to/CA/cert.file


      Firefox will allow you to browse to the certificate on disk, recognize it a certificate file and then allow you to import it to Root CA list.



      Most other commands such as curl take command line switches you can use to point at your CA,



       curl --cacert /path/to/CA/cert.file https://...


      or drop the SSL validation altogether



       curl --insecure https://...


      The rest will need individual investigation if the ca-certificates like trick does not sort it for that particular application.







      share|improve this answer












      share|improve this answer



      share|improve this answer










      answered Sep 14 '13 at 5:42









      Drav Sloan

      9,26023038




      9,26023038











      • Also, as noted here, adding CA certificates for Java is likewise a separate matter.
        – Naftuli Kay
        Mar 28 '14 at 0:40






      • 2




        After copying the certificate to /usr/share/ca-certificates, I can't see it in the dpkg-reconfigure ca-certificates list. What am I doing wrong?
        – Georges Dupéron
        Feb 17 '15 at 19:21






      • 9




        @GeorgesDupéron That happened to me to. I resolved it by renaming the cert from whatever.pem to whatever.crt.
        – Hello World
        Oct 3 '15 at 7:19











      • ref manuals.gfi.com/en/kerio/connect/content/server-configuration/…
        – qxo
        Jul 18 at 3:09
















      • Also, as noted here, adding CA certificates for Java is likewise a separate matter.
        – Naftuli Kay
        Mar 28 '14 at 0:40






      • 2




        After copying the certificate to /usr/share/ca-certificates, I can't see it in the dpkg-reconfigure ca-certificates list. What am I doing wrong?
        – Georges Dupéron
        Feb 17 '15 at 19:21






      • 9




        @GeorgesDupéron That happened to me to. I resolved it by renaming the cert from whatever.pem to whatever.crt.
        – Hello World
        Oct 3 '15 at 7:19











      • ref manuals.gfi.com/en/kerio/connect/content/server-configuration/…
        – qxo
        Jul 18 at 3:09















      Also, as noted here, adding CA certificates for Java is likewise a separate matter.
      – Naftuli Kay
      Mar 28 '14 at 0:40




      Also, as noted here, adding CA certificates for Java is likewise a separate matter.
      – Naftuli Kay
      Mar 28 '14 at 0:40




      2




      2




      After copying the certificate to /usr/share/ca-certificates, I can't see it in the dpkg-reconfigure ca-certificates list. What am I doing wrong?
      – Georges Dupéron
      Feb 17 '15 at 19:21




      After copying the certificate to /usr/share/ca-certificates, I can't see it in the dpkg-reconfigure ca-certificates list. What am I doing wrong?
      – Georges Dupéron
      Feb 17 '15 at 19:21




      9




      9




      @GeorgesDupéron That happened to me to. I resolved it by renaming the cert from whatever.pem to whatever.crt.
      – Hello World
      Oct 3 '15 at 7:19





      @GeorgesDupéron That happened to me to. I resolved it by renaming the cert from whatever.pem to whatever.crt.
      – Hello World
      Oct 3 '15 at 7:19













      ref manuals.gfi.com/en/kerio/connect/content/server-configuration/…
      – qxo
      Jul 18 at 3:09




      ref manuals.gfi.com/en/kerio/connect/content/server-configuration/…
      – qxo
      Jul 18 at 3:09












      up vote
      36
      down vote













      Non Interactive Approach



      For use in a non-interactive context (e.g. a chef recipe) you can use the following sequence.



      sudo cp my.crt /usr/local/share/ca-certificates/
      sudo update-ca-certificates


      • Tested and works on debian 5/6 & Ubuntu 14.04.

      • For more information, see man update-ca-certificates

      This method is preferred over @Drav's method, since /usr/share/ is typically reserved for files added by the OS / apt-get.






      share|improve this answer


















      • 3




        It is better to copy the files to /usr/local/share/ca-certificates/ as mentioned in the man pages
        – ortang
        Feb 4 '16 at 10:20










      • FYI the A must be a .crt, I found .cert claimed it was added but did not help
        – KCD
        Dec 13 '16 at 3:53














      up vote
      36
      down vote













      Non Interactive Approach



      For use in a non-interactive context (e.g. a chef recipe) you can use the following sequence.



      sudo cp my.crt /usr/local/share/ca-certificates/
      sudo update-ca-certificates


      • Tested and works on debian 5/6 & Ubuntu 14.04.

      • For more information, see man update-ca-certificates

      This method is preferred over @Drav's method, since /usr/share/ is typically reserved for files added by the OS / apt-get.






      share|improve this answer


















      • 3




        It is better to copy the files to /usr/local/share/ca-certificates/ as mentioned in the man pages
        – ortang
        Feb 4 '16 at 10:20










      • FYI the A must be a .crt, I found .cert claimed it was added but did not help
        – KCD
        Dec 13 '16 at 3:53












      up vote
      36
      down vote










      up vote
      36
      down vote









      Non Interactive Approach



      For use in a non-interactive context (e.g. a chef recipe) you can use the following sequence.



      sudo cp my.crt /usr/local/share/ca-certificates/
      sudo update-ca-certificates


      • Tested and works on debian 5/6 & Ubuntu 14.04.

      • For more information, see man update-ca-certificates

      This method is preferred over @Drav's method, since /usr/share/ is typically reserved for files added by the OS / apt-get.






      share|improve this answer














      Non Interactive Approach



      For use in a non-interactive context (e.g. a chef recipe) you can use the following sequence.



      sudo cp my.crt /usr/local/share/ca-certificates/
      sudo update-ca-certificates


      • Tested and works on debian 5/6 & Ubuntu 14.04.

      • For more information, see man update-ca-certificates

      This method is preferred over @Drav's method, since /usr/share/ is typically reserved for files added by the OS / apt-get.







      share|improve this answer














      share|improve this answer



      share|improve this answer








      edited Dec 9 '16 at 23:37









      BobTuckerman

      1033




      1033










      answered May 27 '14 at 9:07









      oDDsKooL

      46144




      46144







      • 3




        It is better to copy the files to /usr/local/share/ca-certificates/ as mentioned in the man pages
        – ortang
        Feb 4 '16 at 10:20










      • FYI the A must be a .crt, I found .cert claimed it was added but did not help
        – KCD
        Dec 13 '16 at 3:53












      • 3




        It is better to copy the files to /usr/local/share/ca-certificates/ as mentioned in the man pages
        – ortang
        Feb 4 '16 at 10:20










      • FYI the A must be a .crt, I found .cert claimed it was added but did not help
        – KCD
        Dec 13 '16 at 3:53







      3




      3




      It is better to copy the files to /usr/local/share/ca-certificates/ as mentioned in the man pages
      – ortang
      Feb 4 '16 at 10:20




      It is better to copy the files to /usr/local/share/ca-certificates/ as mentioned in the man pages
      – ortang
      Feb 4 '16 at 10:20












      FYI the A must be a .crt, I found .cert claimed it was added but did not help
      – KCD
      Dec 13 '16 at 3:53




      FYI the A must be a .crt, I found .cert claimed it was added but did not help
      – KCD
      Dec 13 '16 at 3:53










      up vote
      6
      down vote













      On Fedora 23, add the .pem or .der file to /etc/pki/ca-trust/source/anchors/ and run sudo update-ca-trust extract.



      See man update-ca-trust for details, e.g. whether to use /etc or /usr.






      share|improve this answer
























        up vote
        6
        down vote













        On Fedora 23, add the .pem or .der file to /etc/pki/ca-trust/source/anchors/ and run sudo update-ca-trust extract.



        See man update-ca-trust for details, e.g. whether to use /etc or /usr.






        share|improve this answer






















          up vote
          6
          down vote










          up vote
          6
          down vote









          On Fedora 23, add the .pem or .der file to /etc/pki/ca-trust/source/anchors/ and run sudo update-ca-trust extract.



          See man update-ca-trust for details, e.g. whether to use /etc or /usr.






          share|improve this answer












          On Fedora 23, add the .pem or .der file to /etc/pki/ca-trust/source/anchors/ and run sudo update-ca-trust extract.



          See man update-ca-trust for details, e.g. whether to use /etc or /usr.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Mar 20 '16 at 16:43









          user7610

          4081717




          4081717




















              up vote
              1
              down vote













              In centos:



              cp *.pem /etc/pki/ca-trust/source/anchors/
              update-ca-trust extract





              share|improve this answer




















              • When I do openssl connect should I be specifying this /anchors folder? I'm still getting an error "self signed certs
                – Janac Meena
                Jul 13 at 13:52














              up vote
              1
              down vote













              In centos:



              cp *.pem /etc/pki/ca-trust/source/anchors/
              update-ca-trust extract





              share|improve this answer




















              • When I do openssl connect should I be specifying this /anchors folder? I'm still getting an error "self signed certs
                – Janac Meena
                Jul 13 at 13:52












              up vote
              1
              down vote










              up vote
              1
              down vote









              In centos:



              cp *.pem /etc/pki/ca-trust/source/anchors/
              update-ca-trust extract





              share|improve this answer












              In centos:



              cp *.pem /etc/pki/ca-trust/source/anchors/
              update-ca-trust extract






              share|improve this answer












              share|improve this answer



              share|improve this answer










              answered Apr 19 at 10:58









              dragonfly

              112




              112











              • When I do openssl connect should I be specifying this /anchors folder? I'm still getting an error "self signed certs
                – Janac Meena
                Jul 13 at 13:52
















              • When I do openssl connect should I be specifying this /anchors folder? I'm still getting an error "self signed certs
                – Janac Meena
                Jul 13 at 13:52















              When I do openssl connect should I be specifying this /anchors folder? I'm still getting an error "self signed certs
              – Janac Meena
              Jul 13 at 13:52




              When I do openssl connect should I be specifying this /anchors folder? I'm still getting an error "self signed certs
              – Janac Meena
              Jul 13 at 13:52










              up vote
              0
              down vote













              Non Interactive Approach (Oct'18)

              for recent debian based systems



              The approach of just copying a cert file and calling update-ca-certificate isn't working anymore. There's a distinction between adding a cert to the host's store and activating it so that applications really utilize those. An existing cert in the store isn't necessarily used (although i have to admit that still a lot of packages are getting it wrong anyway)

              This can get confusing when you setup a package which considers /etc/ca-certificate.conf and simply refuses to use your cert although it has been added without error.
              You need to tell update-ca-certificates explicitly to (not just copy but) activate the cert by adding it to /etc/ca-certificate.conf.



              #!/bin/bash

              CERT=mycert.crt
              cp /mypath/to/$CERT /usr/local/share/ca-certificates/$CERT
              # notice the + sign which tells to activate the cert!!!
              echo "+$CERT" >/etc/ca-certificates/update.d/activate_my_cert
              update-ca-certificates;


              By the way, activating a cert is exactly what dpkg-reconfigure ca-certificates is doing.






              share|improve this answer


























                up vote
                0
                down vote













                Non Interactive Approach (Oct'18)

                for recent debian based systems



                The approach of just copying a cert file and calling update-ca-certificate isn't working anymore. There's a distinction between adding a cert to the host's store and activating it so that applications really utilize those. An existing cert in the store isn't necessarily used (although i have to admit that still a lot of packages are getting it wrong anyway)

                This can get confusing when you setup a package which considers /etc/ca-certificate.conf and simply refuses to use your cert although it has been added without error.
                You need to tell update-ca-certificates explicitly to (not just copy but) activate the cert by adding it to /etc/ca-certificate.conf.



                #!/bin/bash

                CERT=mycert.crt
                cp /mypath/to/$CERT /usr/local/share/ca-certificates/$CERT
                # notice the + sign which tells to activate the cert!!!
                echo "+$CERT" >/etc/ca-certificates/update.d/activate_my_cert
                update-ca-certificates;


                By the way, activating a cert is exactly what dpkg-reconfigure ca-certificates is doing.






                share|improve this answer
























                  up vote
                  0
                  down vote










                  up vote
                  0
                  down vote









                  Non Interactive Approach (Oct'18)

                  for recent debian based systems



                  The approach of just copying a cert file and calling update-ca-certificate isn't working anymore. There's a distinction between adding a cert to the host's store and activating it so that applications really utilize those. An existing cert in the store isn't necessarily used (although i have to admit that still a lot of packages are getting it wrong anyway)

                  This can get confusing when you setup a package which considers /etc/ca-certificate.conf and simply refuses to use your cert although it has been added without error.
                  You need to tell update-ca-certificates explicitly to (not just copy but) activate the cert by adding it to /etc/ca-certificate.conf.



                  #!/bin/bash

                  CERT=mycert.crt
                  cp /mypath/to/$CERT /usr/local/share/ca-certificates/$CERT
                  # notice the + sign which tells to activate the cert!!!
                  echo "+$CERT" >/etc/ca-certificates/update.d/activate_my_cert
                  update-ca-certificates;


                  By the way, activating a cert is exactly what dpkg-reconfigure ca-certificates is doing.






                  share|improve this answer














                  Non Interactive Approach (Oct'18)

                  for recent debian based systems



                  The approach of just copying a cert file and calling update-ca-certificate isn't working anymore. There's a distinction between adding a cert to the host's store and activating it so that applications really utilize those. An existing cert in the store isn't necessarily used (although i have to admit that still a lot of packages are getting it wrong anyway)

                  This can get confusing when you setup a package which considers /etc/ca-certificate.conf and simply refuses to use your cert although it has been added without error.
                  You need to tell update-ca-certificates explicitly to (not just copy but) activate the cert by adding it to /etc/ca-certificate.conf.



                  #!/bin/bash

                  CERT=mycert.crt
                  cp /mypath/to/$CERT /usr/local/share/ca-certificates/$CERT
                  # notice the + sign which tells to activate the cert!!!
                  echo "+$CERT" >/etc/ca-certificates/update.d/activate_my_cert
                  update-ca-certificates;


                  By the way, activating a cert is exactly what dpkg-reconfigure ca-certificates is doing.







                  share|improve this answer














                  share|improve this answer



                  share|improve this answer








                  edited yesterday

























                  answered yesterday









                  3ronco

                  1314




                  1314



























                       

                      draft saved


                      draft discarded















































                       


                      draft saved


                      draft discarded














                      StackExchange.ready(
                      function ()
                      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f90450%2fadding-a-self-signed-certificate-to-the-trusted-list%23new-answer', 'question_page');

                      );

                      Post as a guest













































































                      Popular posts from this blog

                      How to check contact read email or not when send email to Individual?

                      Displaying single band from multi-band raster using QGIS

                      How many registers does an x86_64 CPU actually have?