- User:Grawity/Adding a trusted CA certificate
- Contents
- Personal – NSS (Chromium, Firefox)
- System-wide – Arch, Fedora (p11-kit)
- Fedora
- System-wide – Debian, Ubuntu (update-ca-certificates)
- Linux add trusted cert
- About
- Adding trusted root certificates to the server
- Mac OS X
- Windows
- Linux (Ubuntu, Debian)
- Linux (CentOs 6)
- Linux (CentOs 5)
- Adding a self-signed certificate to the «trusted list»
- 6 Answers 6
- How to install certificates for command line
- 7 Answers 7
User:Grawity/Adding a trusted CA certificate
Contents
Personal – NSS (Chromium, Firefox)
Chromium, Firefox, Thunderbird, Evolution, SeaMonkey use NSS for retrieving trusted CAs.
Arch’s (and Fedora’s) NSS packages are integrated with p11-kit, so they should automatically pick up any certificates used system-wide. But if you prefer (or if your distro uses «pure» NSS), you can install certificates into your own browser profile as well – use certutil for this:
Chromium and Evolution use the «shared» database at -d «sql:$HOME/.pki/nssdb» .
For Firefox, Thunderbird, and SeaMonkey, specify the browser’s own profile directory (e.g. -d
System-wide – Arch, Fedora (p11-kit)
Currently Arch Linux uses p11-kit from Fedora, which has more features (e.g. explicit distrusts) than the older scripts from Debian. To import a trust anchor using p11-kit, do:
- Run trust anchor —store myCA.crt as root.
The certificate will be written to /etc/ca-certificates/trust-source/myCA.p11-kit and the «legacy» directories automatically updated.
If you get «no configured writable location» or a similar error, import the CA manually:
- Copy the certificate to the /etc/ca-certificates/trust-source/anchors directory.
- Run update-ca-trust as root.
For more information, see the update-ca-trust(8) manual page.
Fedora
Same as above, but the general location is /etc/pki/ca-trust/source (and the manual installation path is /etc/pki/ca-trust/source/anchors ).
System-wide – Debian, Ubuntu (update-ca-certificates)
The Debian-style update-ca-certificates requires certificates in PEM format (the text format with BEGIN CERTIFICATE headers). If you have a file in binary (DER) format, use openssl x509 to convert it:
- Copy the certificate to the /usr/local/share/ca-certificates directory (mkdir if needed). The file name must end with .crt .
- Run update-ca-certificates as root.
For more information, see the update-ca-certificates(8) manual page.
Источник
Linux add trusted cert
How to add trusted Root-Certificates
How-to: Adding trusted root certificates to the SO (Win / MAC / Unix).
Feel totally free to edit this page to add another operating systems!
How-to list all available ssl CA certificates in Linux.
Double click on the certificate is usually enough. It can be done from the console too.
Ubuntu, Debian, Arch
Copy your CA to dir /usr/local/share/ca-certificates/
Update the CA store:
Copy your CA to dir /etc/ca-certificates/trust-source/anchors/
Update the CA store:
Remove your CA (/usr/local/share/ca-certificates/)
Copy your CA to dir /etc/pki/trust/anchors/
Update the CA store:
Install the ca-certificates package:
Enable the dynamic CA configuration feature:
Add it as a new file to /etc/pki/ca-trust/source/anchors/:
Append your trusted certificate to file /etc/pki/tls/certs/ca-bundle.crt
Solaris-specific Solaris keeps the CA certs in «/etc/certs/CA/». Hashed links to the CA certs are in «/etc/openssl/certs/» for fast lookup and access (usually by OpenSSL).
By convention, but not required, the filenames in «/etc/certs/CA» is the cert holder’s CN with spaces replaced by underscores («_») and appended with a .pem file name extension. For example, file «/etc/certs/CA/foo.pem» contains the cert for CN «VeriSign Class 4 Public Primary Certification Authority — G3».
Make or verify the cert is world-readable, if not already.
Copy the cert to directory «/etc/certs/CA».
Install he cert into «/etc/certs/ca-certificates.crt» and add a hashed link in «/etc/openssl/certs/».
Verify the CA cert service has restarted (and processed your new CA cert).
If the service hasn’t started it could be the cert is corrupt or is a duplicate of an existing CA cert. Look for error messages in files «/var/svc/log/system-ca-certificates:default.log» and «/system/volatile/system-ca-certificates:default.log»
Firefox has its own certificate store.
JVM / Java Keystore
Java uses the popular «Java KeyStore (JKS)», it does not use the trusted-root-certificates of the operating system.
Links of interest (Acrobat, Android, etc)
About
How-to: Adding trusted root certificates to the SO (Win / MAC / Unix)
Источник
Adding trusted root certificates to the server
If you want to send or receive messages signed by root authorities and these authorities are not installed on the server, you must add a trusted root certificate A certificate issued by a trusted certificate authority (CA). In the SSL, anyone can generate a signing key and sign a new certificate. manually.
Use the following steps to add or remove trusted root certificates to/from a server.
Mac OS X
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain
sudo security delete-certificate -c » «
Windows
certutil -addstore -f «ROOT» new-root-certificate.crt
certutil -delstore «ROOT» serial-number-hex
Linux (Ubuntu, Debian)
| Function | Method |
| Add |
|
| Remove |
|
Restart Kerio Connect to reload the certificates in the 32-bit versions or Debian 7.
Linux (CentOs 6)
| Function | Method |
| Add |
|
Restart Kerio Connect to reload the certificates in the 32-bit version.
Linux (CentOs 5)
Append your trusted certificate to file /etc/pki/tls/certs/ca-bundle.crt
cat foo.crt >>/etc/pki/tls/certs/ca-bundle.crt
Restart Kerio Connect to reload the certificates in the 32-bit version.
Источник
Adding a self-signed certificate to the «trusted list»
I’ve generated a self-signed certificate for my build server and I’d like to globally trust the certificate on my machine, as I created the key myself and I’m sick of seeing warnings.
I’m on Ubuntu 12.04. How can I take the certificate and globally trust it so that browsers (Google Chrome), CLI utilities (wget, curl), and programming languages (Python, Java, etc.) trust the connection to https://mysite.com without asking questions?
6 Answers 6
The simple answer to this is that pretty much each application will handle it differently.
Also OpenSSL and GNUTLS (the most widely used certificate processing libraries used to handle signed certificates) behave differently in their treatment of certs which also complicates the issue. Also operating systems utilize different mechanisms to utilize «root CA» used by most websites.
That aside, giving Debian as an example. Install the ca-certificates package:
You then copy the public half of your untrusted CA certificate (the one you use to sign your CSR) into the CA certificate directory (as root):
NOTE: Certificate needs to have .crt extension for it to be picked up.
And get it to rebuild the directory with your certificate included, run as root:
and select the ask option, scroll to your certificate, mark it for inclusion and select ok.
Most browsers use their own CA database, and so tools like certutil have to be used to modify their contents (on Debian that is provided by the libnss3-tools package). For example, with Chrome you run something along the lines of:
Firefox will allow you to browse to the certificate on disk, recognize it a certificate file and then allow you to import it to Root CA list.
Most other commands such as curl take command line switches you can use to point at your CA,
or drop the SSL validation altogether
The rest will need individual investigation if the ca-certificates like trick does not sort it for that particular application.
Источник
How to install certificates for command line
So in school we need to install a certificate to access https sites. In firefox, I can import the certificate. However, I can’t do so with the command line. For example, running git push I get:
How do I import a certificate to remove this? The import must be able to authenticate for me. Also, it is a .cer file, so the answer for .crt will not work. Also, I do not want steps on how to setup git, as I already have. I want to know if it is possible to do that. Or can I just disable authentication with the git command totally and make it ignore certificates like what the answer here says? Also, I do not want the webpage to load, I have set firefox to do that. I want the git push command to give the standard output like:
Note: I found out its git config —global http.sslverify false . But I would like to see an answer for everything, not just a git hack
7 Answers 7
TL;DR
For everything to work and not only your browser, you need to add that CA certificate to the system’s trusted CA repository.
- Go to /usr/local/share/ca-certificates/
- Create a new folder, i.e. «sudo mkdir school»
- Copy the .crt file into the school folder
- Make sure the permissions are OK (755 for the folder, 644 for the file)
- Run «sudo update-ca-certificates»
Why
Let me explain what is going on also, so the other posters see why they don’t need any certificate to use Github over HTTPS.
What is going on there is that your school is intercepting all the SSL communications, probably in order to monitor them.
To do that, what they do is in essence a «man in the middle» attack, and because of that, your browser complains rightfully that he is not being able to verify github’s certificate. Your school proxy is taking out github’s cert and instead providing its own cert.
When your browser tries to verify the school’s provided cert against the CA that signed github’s cert, it rightfully fails.
So, for the SSL connection to work in the school, you need to consciously accept that «MITM» attack. And you do that by adding the school’s CA certificate as a trusted one.
When you trust that school CA, your verification of the fake github cert will work, since the fake github cert will be verified by the school CA.
Be aware that SSL connection is not safe anymore since your school administrator will be able to intercept all your encrypted connections.
Источник
