2

I've generated a self signed certificate using openssl - it's entirely self signed and not signed by a self signed CA. I've imported it successfully into the nss database for use by browsers. I now want to trust it globally, so that tools like wget, curl etc... don't nag.

As per instructions elsewhere, I copied my certificate to /etc/pki/ca-trust/source/anchors/ and then ran "update-ca-trust extract". Unfortunately this seems to only work on CA certificates and not on single certificates. How can I achieve what I'm after? I know I can generate a self signed CA and sign my certificate with that, but I have reasons for not doing this.

I generated my certificate like this:

openssl genrsa -out server.key 4096
openssl req -new -key server.key -out server.crt
openssl x509 -sha256 -req -extensions v3_req -days 3650 -in server.csr -signkey server.key -out server.crt -extfile /etc/pki/tls/openssl.cnf

Any help would be greatly appreciated!

dcrdev
  • 89
  • 1
  • 1
  • 9

3 Answers3

5

You want to trust a single-self-signed certificate to identify the server it's used on without either trusting it as a CA to sign other certificates, or firing up your own CA root.

For RedHat 6, you need to put the server certificate into /etc/pki/tls/certs/, in a file whose name is the hash number of the certificate, with .0 appended.

Start by putting the certificate into a temporary file, say /tmp/selfie.crt. Find the hash with openssl x509 -noout -hash -in /tmp/selfie.crt; let's assume for the sake of argument it's 1234abcd. Put the certificate into the trusted store for RH6 with cp /tmp/selfie.crt /etc/pki/tls/certs/1234abcd.0.

Thanks to Nick Burch's guide on the subject for refreshing my memory about the details.

Though now you can get certificates publicly signed for $9 for the year, if not less, it's beginning to be more trouble than it's worth to do this.

MadHatter
  • 78,442
  • 20
  • 178
  • 229
  • Yes I tried that - didn't work, this approach is just the manual equivalent of the approach I mentioned in my question. I came to the conclusion that true self signed certificates can't be added to the system trust store. I caved and created my own CA certificate and added that to the trust store instead, I didn't want this because you need to explicitly provide this ca certificate in https requests in order for some software to work. One piece of software in particular does not support this - I contacted the developer and he's incorporating this ability in the next release. – dcrdev Oct 22 '15 at 14:19
  • It's actually completely different from the method in your question: your question shows how to install a *signing* certificate, whereas i'm showing how to install an *identifying* certificate. Nevertheless, I'm sorry it didn't work for you. The real problem may be that, unlike Windows, Linux doesn't provide a single, centralised certificate-management solution to all its applications; it's up to each application to roll its own, which may or may not involve looking in the OS-standard paths. I'm glad you've got a way forward, though. – MadHatter Oct 22 '15 at 14:28
  • @dcrdev - I'm facing the same issue, i.e. trying to get my self signed certificate trusted on my redhat box. Please explain how you achieved - "I caved and created my own CA certificate and added that to the trust store instead" – Arham Jun 09 '17 at 10:59
  • On Debian, Ubuntu and their derivatives, use `/etc/ssl/certs` instead of `/etc/pki/tls/certs/`. Additionally, saving the certificate with a descriptive filename and symlinking to it with a filename following the hash.0 pattern makes the resulting configuration clearer and more manageable in the future. – Zoltan Nov 30 '21 at 11:00
1

A CA certificate is a certificate. So adding your certificate in the directory should work. I just tried adding one of the certificate I trusted in firefox in /etc/ca-certificates/trust-source/anchors/, deleted it from my trusted cert in ff. I reloaded the page and it prompted me the cert wasn't trusted. I restarted firefox and now I can access the page.

I had to update-ca-trust to make it work with wget.

Mine is in .pem format, BEGIN/END file. What distro do you use ? Did you try restarting your tools ?

Pierre-Alain TORET
  • 1,244
  • 7
  • 14
-3

A certification authority needs to issue a certificate. Query for an organization on the internet. The certificate costs money, but there are also organizations that issue certificates for free. Note that if a certificate is not trusted by a trusted organization the browser will display a security warning, e.g.: the certificate is not trusted because the issuer certificate is unknown. Also note that the certificate name needs to be identical to the fqdn of the website.

030
  • 5,731
  • 12
  • 61
  • 107