Linux install certificate trusted ca

User:Grawity/Adding a trusted CA certificate

Contents

Personal – NSS (Chromium, Firefox)

Chromium, Firefox, Thunderbird, Evolution, SeaMonkey use NSS for retrieving trusted CAs.

Arch’s (and Fedora’s) NSS packages are integrated with p11-kit, so they should automatically pick up any certificates used system-wide. But if you prefer (or if your distro uses «pure» NSS), you can install certificates into your own browser profile as well – use certutil for this:

Chromium and Evolution use the «shared» database at -d «sql:$HOME/.pki/nssdb» .

For Firefox, Thunderbird, and SeaMonkey, specify the browser’s own profile directory (e.g. -d

System-wide – Arch, Fedora (p11-kit)

Currently Arch Linux uses p11-kit from Fedora, which has more features (e.g. explicit distrusts) than the older scripts from Debian. To import a trust anchor using p11-kit, do:

1. Run trust anchor —store myCA.crt as root.

The certificate will be written to /etc/ca-certificates/trust-source/myCA.p11-kit and the «legacy» directories automatically updated.

If you get «no configured writable location» or a similar error, import the CA manually:

1. Copy the certificate to the /etc/ca-certificates/trust-source/anchors directory.
2. Run update-ca-trust as root.

For more information, see the update-ca-trust(8) manual page.

Fedora

Same as above, but the general location is /etc/pki/ca-trust/source (and the manual installation path is /etc/pki/ca-trust/source/anchors ).

System-wide – Debian, Ubuntu (update-ca-certificates)

The Debian-style update-ca-certificates requires certificates in PEM format (the text format with BEGIN CERTIFICATE headers). If you have a file in binary (DER) format, use openssl x509 to convert it:

1. Copy the certificate to the /usr/local/share/ca-certificates directory (mkdir if needed). The file name must end with .crt .
2. Run update-ca-certificates as root.

For more information, see the update-ca-certificates(8) manual page.

Источник

Обновление корневых сертификатов на Linux

От корневых сертификатов в системе может зависеть правильная работа при обращении к ресурсам, которые работают по зашифрованному каналу связи. Если данные сертификаты устареют, мы можем столкнуться с рядом проблем:

• Не открываются или выдают предупреждение безопасности некоторые (или все) сайты, работающие по https.
• Некорректная работа отдельных приложений.
• Ошибки при подключении по ssh.

Это пример ошибок, который не претендует на свою полному. Чаще всего, проблемы встречаются на системах, снятых с обслуживания.

Установка из репозитория

Самый простой способ, который нужно попробовать, установить сертификаты из официального репозитория системы. В зависимости от ее типа, наши команды будут немного отличаться.

а) для систем на базе DEB (Debian, Ubuntu, Mint):

apt install ca-certificates

б) для систем на базе RPM (Rocky Linux, CentOS):

yum install ca-certificates

Если нам повезет и в репозитории будут обновленные корневые центры, наша работа закончена. Иначе, устанавливаем сертификаты вручную.

Загрузка пакета с сертификатами

Установка из репозитория может не дать нужного эффекта, если в нем находятся не самые свежие сертификаты или наша система сильно устарела или не имеет выхода в Интернет.

В этом случае нам нужно загрузить пакет с корневыми сертификатами вручную. Разберем пример на системе Ubuntu. В официальном репозитории или в поисковой системе находим пакет для загрузки, например, по ссылке ftp.ru.debian.org/debian/pool/main/c/ca-certificates копируем ссылку на файл с последней версией сертификатов, и загружаем его на наш компьютер:

Полученный пакет устанавливаем в системе:

dpkg -i ca-certificates_20210119_all.deb

И обновляем корневые сертификаты:

Установка вручную

Выше рассмотрены самые удобные способы обновления корневых сертификатов. Но мы можем столкнуться с ситуацией, когда в предоставляемых официальных пакетах не окажется обновленного сертификата. Например, на момент написания данной инструкции у систем на базе Deb не оказалось нового сертификата для Let’s Encrypt, а старый закончил свое действие 30 сентября 2021 года.

В данном случае, мы можем установить любой нужный нам сертификат руками. Для этого скачала находим его и копируем — приведем пример с Let’s Encrypt. На странице letsencrypt.org/ru/certificates мы можем увидеть ссылки на корневые сертификаты. Допустим, нам нужен Let’s Encrypt Authority X3 (Signed by ISRG Root X1), который доступен по ссылке letsencrypt.org/certs/letsencryptauthorityx3.pem.txt. Копируем последовательность и создаем файл на компьютере:

——BEGIN CERTIFICATE——
MIIFjTCCA3WgAwIBAgIRANOxciY0IzLc9AUoUSrsnGowDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTYxMDA2MTU0MzU1
WhcNMjExMDA2MTU0MzU1WjBKMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDEjMCEGA1UEAxMaTGV0J3MgRW5jcnlwdCBBdXRob3JpdHkgWDMwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCc0wzwWuUuR7dyXTeDs2hjMOrX
NSYZJeG9vjXxcJIvt7hLQQWrqZ41CFjssSrEaIcLo+N15Obzp2JxunmBYB/XkZqf
89B4Z3HIaQ6Vkc/+5pnpYDxIzH7KTXcSJJ1HG1rrueweNwAcnKx7pwXqzkrrvUHl
Npi5y/1tPJZo3yMqQpAMhnRnyH+lmrhSYRQTP2XpgofL2/oOVvaGifOFP5eGr7Dc
Gu9rDZUWfcQroGWymQQ2dYBrrErzG5BJeC+ilk8qICUpBMZ0wNAxzY8xOJUWuqgz
uEPxsR/DMH+ieTETPS02+OP88jNquTkxxa/EjQ0dZBYzqvqEKbbUC8DYfcOTAgMB
AAGjggFnMIIBYzAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADBU
BgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEBATAwMC4GCCsGAQUFBwIB
FiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQub3JnMB0GA1UdDgQWBBSo
SmpjBH3duubRObemRWXv86jsoTAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3Js
LnJvb3QteDEubGV0c2VuY3J5cHQub3JnMHIGCCsGAQUFBwEBBGYwZDAwBggrBgEF
BQcwAYYkaHR0cDovL29jc3Aucm9vdC14MS5sZXRzZW5jcnlwdC5vcmcvMDAGCCsG
AQUFBzAChiRodHRwOi8vY2VydC5yb290LXgxLmxldHNlbmNyeXB0Lm9yZy8wHwYD
VR0jBBgwFoAUebRZ5nu25eQBc4AIiMgaWPbpm24wDQYJKoZIhvcNAQELBQADggIB
ABnPdSA0LTqmRf/Q1eaM2jLonG4bQdEnqOJQ8nCqxOeTRrToEKtwT++36gTSlBGx
A/5dut82jJQ2jxN8RI8L9QFXrWi4xXnA2EqA10yjHiR6H9cj6MFiOnb5In1eWsRM
UM2v3e9tNsCAgBukPHAg1lQh07rvFKm/Bz9BCjaxorALINUfZ9DD64j2igLIxle2
DPxW8dI/F2loHMjXZjqG8RkqZUdoxtID5+90FgsGIfkMpqgRS05f4zPbCEHqCXl1
eO5HyELTgcVlLXXQDgAWnRzut1hFJeczY1tjQQno6f6s+nMydLN26WuU4s3UYvOu
OsUxRlJu7TSRHqDC3lSE5XggVkzdaPkuKGQbGpny+01/47hfXXNB7HntWNZ6N2Vw
p7G6OfY+YQrZwIaQmhrIqJZuigsrbe3W+gdn5ykE9+Ky0VgVUsfxo52mwFYs1JKY
2PGDuWx8M6DlS6qQkvHaRUo0FMd8TsSlbF0/v965qGFKhSDeQoMpYnwcmQilRh/0
ayLThlHLN81gSkJjVrPI0Y8xCVPB4twb1PFUd2fPM3sA1tJ83sZ5v8vgFv2yofKR
PB0t6JzUA81mSqM3kxl5e+IZwhYAyO0OTg3/fs8HqGTNKd9BqoUwSRBzp06JMg5b
rUCGwbCUDI0mxadJ3Bz4WxR6fyNpBK2yAinWEsikxqEt
——END CERTIFICATE——

Открываем на редактирование файл:

И добавляем в него строку с указанием на созданный файл:

Источник

Adding trusted root certificates to the server

If you want to send or receive messages signed by root authorities and these authorities are not installed on the server, you must add a trusted root certificate A certificate issued by a trusted certificate authority (CA). In the SSL, anyone can generate a signing key and sign a new certificate. manually.

Use the following steps to add or remove trusted root certificates to/from a server.

Mac OS X

sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain

sudo security delete-certificate -c » «

Windows

certutil -addstore -f «ROOT» new-root-certificate.crt

certutil -delstore «ROOT» serial-number-hex

Linux (Ubuntu, Debian)

Function	Method
Add	Copy your CA to dir /usr/local/share/ca-certificates/ Use command: sudo cp foo.crt /usr/local/share/ca-certificates/foo.crt Update the CA store: sudo update-ca-certificates
Remove	Remove your CA. Update the CA store: sudo update-ca-certificates —fresh

Restart Kerio Connect to reload the certificates in the 32-bit versions or Debian 7.

Linux (CentOs 6)

Function	Method
Add	Install the ca-certificates package: yum install ca-certificates Enable the dynamic CA configuration feature: update-ca-trust force-enable Add it as a new file to /etc/pki/ca-trust/source/anchors/: cp foo.crt /etc/pki/ca-trust/source/anchors/ Use command: update-ca-trust extract

Restart Kerio Connect to reload the certificates in the 32-bit version.

Linux (CentOs 5)

Append your trusted certificate to file /etc/pki/tls/certs/ca-bundle.crt

cat foo.crt >>/etc/pki/tls/certs/ca-bundle.crt

Restart Kerio Connect to reload the certificates in the 32-bit version.

Источник

Certificates

One of the most common forms of cryptography today is public-key cryptography. Public-key cryptography utilizes a public key and a private key. The system works by encrypting information using the public key. The information can then only be decrypted using the private key.

A common use for public-key cryptography is encrypting application traffic using a Secure Socket Layer (SSL) or Transport Layer Security (TLS) connection. One example: configuring Apache to provide HTTPS, the HTTP protocol over SSL/TLS. This allows a way to encrypt traffic using a protocol that does not itself provide encryption.

A certificate is a method used to distribute a public key and other information about a server and the organization who is responsible for it. Certificates can be digitally signed by a Certification Authority, or CA. A CA is a trusted third party that has confirmed that the information contained in the certificate is accurate.

Types of Certificates

To set up a secure server using public-key cryptography, in most cases, you send your certificate request (including your public key), proof of your company’s identity, and payment to a CA. The CA verifies the certificate request and your identity, and then sends back a certificate for your secure server. Alternatively, you can create your own self-signed certificate.

Note that self-signed certificates should not be used in most production environments.

Continuing the HTTPS example, a CA-signed certificate provides two important capabilities that a self-signed certificate does not:

Browsers (usually) automatically recognize the CA signature and allow a secure connection to be made without prompting the user.

When a CA issues a signed certificate, it is guaranteeing the identity of the organization that is providing the web pages to the browser.

Most of the software supporting SSL/TLS have a list of CAs whose certificates they automatically accept. If a browser encounters a certificate whose authorizing CA is not in the list, the browser asks the user to either accept or decline the connection. Also, other applications may generate an error message when using a self-signed certificate.

The process of getting a certificate from a CA is fairly easy. A quick overview is as follows:

Create a private and public encryption key pair.

Create a certificate signing request based on the public key. The certificate request contains information about your server and the company hosting it.

Send the certificate request, along with documents proving your identity, to a CA. We cannot tell you which certificate authority to choose. Your decision may be based on your past experiences, or on the experiences of your friends or colleagues, or purely on monetary factors.

Once you have decided upon a CA, you need to follow the instructions they provide on how to obtain a certificate from them.

When the CA is satisfied that you are indeed who you claim to be, they send you a digital certificate.

Install this certificate on your secure server, and configure the appropriate applications to use the certificate.

Generating a Certificate Signing Request (CSR)

Whether you are getting a certificate from a CA or generating your own self-signed certificate, the first step is to generate a key.

If the certificate will be used by service daemons, such as Apache, Postfix, Dovecot, etc., a key without a passphrase is often appropriate. Not having a passphrase allows the services to start without manual intervention, usually the preferred way to start a daemon.

This section will cover generating a key with a passphrase, and one without. The non-passphrase key will then be used to generate a certificate that can be used with various service daemons.

Running your secure service without a passphrase is convenient because you will not need to enter the passphrase every time you start your secure service. But it is insecure and a compromise of the key means a compromise of the server as well.

To generate the keys for the Certificate Signing Request (CSR) run the following command from a terminal prompt:

You can now enter your passphrase. For best security, it should at least contain eight characters. The minimum length when specifying -des3 is four characters. As a best practice it should include numbers and/or punctuation and not be a word in a dictionary. Also remember that your passphrase is case-sensitive.

Re-type the passphrase to verify. Once you have re-typed it correctly, the server key is generated and stored in the server.key file.

Now create the insecure key, the one without a passphrase, and shuffle the key names:

The insecure key is now named server.key , and you can use this file to generate the CSR without passphrase.

To create the CSR, run the following command at a terminal prompt:

It will prompt you enter the passphrase. If you enter the correct passphrase, it will prompt you to enter Company Name, Site Name, Email Id, etc. Once you enter all these details, your CSR will be created and it will be stored in the server.csr file.

You can now submit this CSR file to a CA for processing. The CA will use this CSR file and issue the certificate. On the other hand, you can create self-signed certificate using this CSR.

Creating a Self-Signed Certificate

To create the self-signed certificate, run the following command at a terminal prompt:

The above command will prompt you to enter the passphrase. Once you enter the correct passphrase, your certificate will be created and it will be stored in the server.crt file.

If your secure server is to be used in a production environment, you probably need a CA-signed certificate. It is not recommended to use self-signed certificate.

Installing the Certificate

You can install the key file server.key and certificate file server.crt , or the certificate file issued by your CA, by running following commands at a terminal prompt:

Now simply configure any applications, with the ability to use public-key cryptography, to use the certificate and key files. For example, Apache can provide HTTPS, Dovecot can provide IMAPS and POP3S, etc.

Certification Authority

If the services on your network require more than a few self-signed certificates it may be worth the additional effort to setup your own internal Certification Authority (CA). Using certificates signed by your own CA, allows the various services using the certificates to easily trust other services using certificates issued from the same CA.

First, create the directories to hold the CA certificate and related files:

The CA needs a few additional files to operate, one to keep track of the last serial number used by the CA, each certificate must have a unique serial number, and another file to record which certificates have been issued:

The third file is a CA configuration file. Though not strictly necessary, it is very convenient when issuing multiple certificates. Edit /etc/ssl/openssl.cnf , and in the [ CA_default ] change:

Next, create the self-signed root certificate:

You will then be asked to enter the details about the certificate.

Now install the root certificate and key:

You are now ready to start signing certificates. The first item needed is a Certificate Signing Request (CSR), see Generating a Certificate Signing Request (CSR) for details. Once you have a CSR, enter the following to generate a certificate signed by the CA:

After entering the password for the CA key, you will be prompted to sign the certificate, and again to commit the new certificate. You should then see a somewhat large amount of output related to the certificate creation.

There should now be a new file, /etc/ssl/newcerts/01.pem , containing the same output. Copy and paste everything beginning with the line: ——BEGIN CERTIFICATE—— and continuing through the line: —-END CERTIFICATE—— lines to a file named after the hostname of the server where the certificate will be installed. For example mail.example.com.crt , is a nice descriptive name.

Subsequent certificates will be named 02.pem , 03.pem , etc.

Replace mail.example.com.crt with your own descriptive name.

Finally, copy the new certificate to the host that needs it, and configure the appropriate applications to use it. The default location to install certificates is /etc/ssl/certs . This enables multiple services to use the same certificate without overly complicated file permissions.

For applications that can be configured to use a CA certificate, you should also copy the /etc/ssl/certs/cacert.pem file to the /etc/ssl/certs/ directory on each server.

References

The Wikipedia HTTPS page has more information regarding HTTPS.

For more information on OpenSSL see the OpenSSL Home Page.

Also, O’Reilly’s Network Security with OpenSSL is a good in-depth reference.

Источник