- Linux add trusted ssl certificate
- About
- Adding trusted root certificates to the server
- Mac OS X
- Windows
- Linux (Ubuntu, Debian)
- Linux (CentOs 6)
- Linux (CentOs 5)
- Adding self trusted SSL certificate for localhost on Ubuntu(NGINX)
- How to add SSL certificates for localhost?
- Generating Certificates
- Configuring NGINX
- Adding certificates to database
- Adding a self-signed certificate to the «trusted list»
- 6 Answers 6
- How to install certificates for command line
- 7 Answers 7
Linux add trusted ssl certificate
How to add trusted Root-Certificates
How-to: Adding trusted root certificates to the SO (Win / MAC / Unix).
Feel totally free to edit this page to add another operating systems!
How-to list all available ssl CA certificates in Linux.
Double click on the certificate is usually enough. It can be done from the console too.
Ubuntu, Debian, Arch
Copy your CA to dir /usr/local/share/ca-certificates/
Update the CA store:
Copy your CA to dir /etc/ca-certificates/trust-source/anchors/
Update the CA store:
Remove your CA (/usr/local/share/ca-certificates/)
Copy your CA to dir /etc/pki/trust/anchors/
Update the CA store:
Install the ca-certificates package:
Enable the dynamic CA configuration feature:
Add it as a new file to /etc/pki/ca-trust/source/anchors/:
Append your trusted certificate to file /etc/pki/tls/certs/ca-bundle.crt
Solaris-specific Solaris keeps the CA certs in «/etc/certs/CA/». Hashed links to the CA certs are in «/etc/openssl/certs/» for fast lookup and access (usually by OpenSSL).
By convention, but not required, the filenames in «/etc/certs/CA» is the cert holder’s CN with spaces replaced by underscores («_») and appended with a .pem file name extension. For example, file «/etc/certs/CA/foo.pem» contains the cert for CN «VeriSign Class 4 Public Primary Certification Authority — G3».
Make or verify the cert is world-readable, if not already.
Copy the cert to directory «/etc/certs/CA».
Install he cert into «/etc/certs/ca-certificates.crt» and add a hashed link in «/etc/openssl/certs/».
Verify the CA cert service has restarted (and processed your new CA cert).
If the service hasn’t started it could be the cert is corrupt or is a duplicate of an existing CA cert. Look for error messages in files «/var/svc/log/system-ca-certificates:default.log» and «/system/volatile/system-ca-certificates:default.log»
Firefox has its own certificate store.
JVM / Java Keystore
Java uses the popular «Java KeyStore (JKS)», it does not use the trusted-root-certificates of the operating system.
Links of interest (Acrobat, Android, etc)
About
How-to: Adding trusted root certificates to the SO (Win / MAC / Unix)
Источник
Adding trusted root certificates to the server
If you want to send or receive messages signed by root authorities and these authorities are not installed on the server, you must add a trusted root certificate A certificate issued by a trusted certificate authority (CA). In the SSL, anyone can generate a signing key and sign a new certificate. manually.
Use the following steps to add or remove trusted root certificates to/from a server.
Mac OS X
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain
sudo security delete-certificate -c » «
Windows
certutil -addstore -f «ROOT» new-root-certificate.crt
certutil -delstore «ROOT» serial-number-hex
Linux (Ubuntu, Debian)
| Function | Method |
| Add |
|
| Remove |
|
Restart Kerio Connect to reload the certificates in the 32-bit versions or Debian 7.
Linux (CentOs 6)
| Function | Method |
| Add |
|
Restart Kerio Connect to reload the certificates in the 32-bit version.
Linux (CentOs 5)
Append your trusted certificate to file /etc/pki/tls/certs/ca-bundle.crt
cat foo.crt >>/etc/pki/tls/certs/ca-bundle.crt
Restart Kerio Connect to reload the certificates in the 32-bit version.
Источник
Adding self trusted SSL certificate for localhost on Ubuntu(NGINX)
The core function of an SSL certificate is to protect server-client communication. In general terms, your data is locked, gets securely transferred over the network and can be unlocked only by the recipient.
The SSL protocol includes two sub protocols: the record protocol and the handshake protocol. The handshake protocol defines how a web client and web server establish an SSL connection, including cryptographic systems whereas record protocol defines how communicating hosts will exchange data using SSL.
Handshake process
1. Server presents its SSL certificate to authenticate itself to the client. Server certificates follow the X.509 certificate format defined by the Public Key Cryptography Standards (PKCS).
2. The authentication process uses public key encryption to validate the digital certificate and to confirm that a server is, in fact, the server it claims to be.
3. Optionally, it also allows the client to authenticate itself to the server. Post server authentication, client must send it’s certificate to server for authentication. Once a client’s identity is authenticated, SSL connection can be established.
4. Your certificate needs to be issued by a valid certificate authority like Amazon, Godaddy etc
Why do we need to secure localhost?
As a developer, you often keep the client and server on same system to speed up your development. Also, in a local testing environment, usually you only work with dummy data. Therefore, the need for securing data in-transit is also not there. In that case the probability of data getting leaked over network is almost zero and hence the need to secure your localhost diminishes. But the need to secure localhost arises when you start using third party API’s. Most of these API’s accept request from SSL connections only.
What’s self trusted certificate?
There are lots of organisations that provide SSL certificate (Amazon, Cloudfare, etc). These organisations validate your domain’s web presence before issuing certificates. But as you are looking for SSL for local domain it’ss not even possible, as it’s a special domain that no one can claim ownership of. In that case you attest the certificates yourself.
How to add SSL certificates for localhost?
This can be divided in three step:
- Generate certificates
- Configuring NGINX to use it
- Adding it to the cert database for browser usage.
Generating Certificates
1. Install OpenSSL
Note: You can choose any OpenSSL tar
2. Create conf for OpenSSL
3. Content for open_ssl.conf
4. Generate certificates
req is a command that indicates the use of x509.
x509 is a certificate data management command, indicates the creation of a self-signed certificate;
nodes is a command that skips the use of a passphrase;
days 1024 is a term that sets the certificate validity period in days
newkey rsa: 2048 is a command that generates a new private key using the RSA algorithm with a key length of 2048 bits;
keyout localhost.key is the path to place the private key file;
out localhost.crt is the path to place the certificate file;
config openssl.cnf is the path to the configuration file.
Configuring NGINX
- Copy certificate and key to ssl directory
2. NGINX conf
Add the following lines your *.conf file
If you want to redirect all your HTTP request to HTTPS then add the following code in the *.conf file
Check NGINX conf and reload NGINX
Adding certificates to database
Now if you will open your local website, your website will throw error “Your connection is not secure”. Reason being, NGINX is redirecting it to https domain, but the browser thinks that the certificate is not authentic as it was self attested.
We need to add the generated SSL certificate to the database that browser uses. For this we will use “certutil” utility which is part of the libnss3-tools package.
To add certificate to the database, navigate to the directory where localhost.crt is kept and then run the following command.
Now reboot NGINX, close the browser (incognito too) and reopen browser. Restarting of browser is important or else it will not read the update database. While navigating to the your local domain, you can see secure lock over the domain in the url.
Note: This has been tested on Chrome and opera. And it is working fine on these browsers. Firefox will throw error “Error code: MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT”. In that case you need to go to settings and add your local domains certificate to exception. Or you can simply click on “Accept Risk and Continue”.
Источник
Adding a self-signed certificate to the «trusted list»
I’ve generated a self-signed certificate for my build server and I’d like to globally trust the certificate on my machine, as I created the key myself and I’m sick of seeing warnings.
I’m on Ubuntu 12.04. How can I take the certificate and globally trust it so that browsers (Google Chrome), CLI utilities (wget, curl), and programming languages (Python, Java, etc.) trust the connection to https://mysite.com without asking questions?
6 Answers 6
The simple answer to this is that pretty much each application will handle it differently.
Also OpenSSL and GNUTLS (the most widely used certificate processing libraries used to handle signed certificates) behave differently in their treatment of certs which also complicates the issue. Also operating systems utilize different mechanisms to utilize «root CA» used by most websites.
That aside, giving Debian as an example. Install the ca-certificates package:
You then copy the public half of your untrusted CA certificate (the one you use to sign your CSR) into the CA certificate directory (as root):
NOTE: Certificate needs to have .crt extension for it to be picked up.
And get it to rebuild the directory with your certificate included, run as root:
and select the ask option, scroll to your certificate, mark it for inclusion and select ok.
Most browsers use their own CA database, and so tools like certutil have to be used to modify their contents (on Debian that is provided by the libnss3-tools package). For example, with Chrome you run something along the lines of:
Firefox will allow you to browse to the certificate on disk, recognize it a certificate file and then allow you to import it to Root CA list.
Most other commands such as curl take command line switches you can use to point at your CA,
or drop the SSL validation altogether
The rest will need individual investigation if the ca-certificates like trick does not sort it for that particular application.
Источник
How to install certificates for command line
So in school we need to install a certificate to access https sites. In firefox, I can import the certificate. However, I can’t do so with the command line. For example, running git push I get:
How do I import a certificate to remove this? The import must be able to authenticate for me. Also, it is a .cer file, so the answer for .crt will not work. Also, I do not want steps on how to setup git, as I already have. I want to know if it is possible to do that. Or can I just disable authentication with the git command totally and make it ignore certificates like what the answer here says? Also, I do not want the webpage to load, I have set firefox to do that. I want the git push command to give the standard output like:
Note: I found out its git config —global http.sslverify false . But I would like to see an answer for everything, not just a git hack
7 Answers 7
TL;DR
For everything to work and not only your browser, you need to add that CA certificate to the system’s trusted CA repository.
- Go to /usr/local/share/ca-certificates/
- Create a new folder, i.e. «sudo mkdir school»
- Copy the .crt file into the school folder
- Make sure the permissions are OK (755 for the folder, 644 for the file)
- Run «sudo update-ca-certificates»
Why
Let me explain what is going on also, so the other posters see why they don’t need any certificate to use Github over HTTPS.
What is going on there is that your school is intercepting all the SSL communications, probably in order to monitor them.
To do that, what they do is in essence a «man in the middle» attack, and because of that, your browser complains rightfully that he is not being able to verify github’s certificate. Your school proxy is taking out github’s cert and instead providing its own cert.
When your browser tries to verify the school’s provided cert against the CA that signed github’s cert, it rightfully fails.
So, for the SSL connection to work in the school, you need to consciously accept that «MITM» attack. And you do that by adding the school’s CA certificate as a trusted one.
When you trust that school CA, your verification of the fake github cert will work, since the fake github cert will be verified by the school CA.
Be aware that SSL connection is not safe anymore since your school administrator will be able to intercept all your encrypted connections.
Источник
