I've generated a self-signed certificate for my build server and I'd like to globally trust the certificate on my machine, as I created the key myself and I'm sick of seeing warnings.
I'm on Ubuntu 12.04. How can I take the certificate and globally trust it so that browsers (Google Chrome), CLI utilities (wget, curl), and programming languages (Python, Java, etc.) trust the connection to https://example.com without asking questions?
The simple answer to this is that pretty much each application will handle it differently.
Also OpenSSL and GNUTLS (the most widely used certificate processing libraries used to handle signed certificates) behave differently in their treatment of certs which also complicates the issue. Also operating systems utilize different mechanisms to utilize "root CA" used by most websites.
That aside, giving Debian as an example. Install the ca-certificates package:
apt-get install ca-certificates
You then copy the public half of your untrusted CA certificate (the one you use to sign your CSR) into the CA certificate directory (as root):
cp cacert.crt /usr/share/ca-certificates
NOTE: Certificate needs to have .crt extension for it to be picked up.
And get it to rebuild the directory with your certificate included, run as root:
dpkg-reconfigure ca-certificates
and select the ask option, scroll to your certificate, mark it for inclusion and select ok.
Most browsers use their own CA database, and so tools like certutil have to be used to modify their contents (on Debian that is provided by the libnss3-tools package). For example, with Chrome you run something along the lines of:
certutil -d sql:$HOME/.pki/nssdb -A -t "C,," -n "My Homemade CA" -i /path/to/CA/cert.file
Firefox will allow you to browse to the certificate on disk, recognize it a certificate file and then allow you to import it to Root CA list.
Most other commands such as curl take command line switches you can use to point at your CA,
curl --cacert /path/to/CA/cert.file https://...
or drop the SSL validation altogether
curl --insecure https://...
The rest will need individual investigation if the ca-certificates like trick does not sort it for that particular application.
dpkg-reconfigure ca-certificates list. What am I doing wrong?
– Suzanne Soy
Feb 17 '15 at 19:21
whatever.pem to whatever.crt.
– Hello World
Oct 03 '15 at 07:19
.cer, and that didn't work. I had to rename it to .crt for it to be recognized.
– Tri Nguyen
Mar 01 '19 at 19:10
/usr/share/ca-certificates/*.crt in order to be picked by the utility.
– Yuri
Feb 11 '20 at 18:06
For use in a non-interactive context (e.g. a chef recipe) you can use the following sequence.
sudo cp my.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates
man update-ca-certificatesThis method is preferred over @Drav's method, since /usr/share/ is typically reserved for files added by the OS / apt-get.
/usr/local/share/ca-certificates/ as mentioned in the man pages
– ortang
Feb 04 '16 at 10:20
.crt, I found .cert claimed it was added but did not help
– KCD
Dec 13 '16 at 03:53
On Fedora 23, add the .pem or .der file to /etc/pki/ca-trust/source/anchors/ and run sudo update-ca-trust extract.
See man update-ca-trust for details, e.g. whether to use /etc or /usr.
Add the .pem to /usr/local/share/ca-certificates/ and run update-ca-certificates.
The sources for this Alpine tooling live at https://github.com/alpinelinux/ca-certificates/blob/898ab81b51730dcd175069956d6e792385c9f457/update-ca.c#L18
In centos:
cp *.pem /etc/pki/ca-trust/source/anchors/
update-ca-trust extract
openssl connect should I be specifying this /anchors folder? I'm still getting an error "self signed certs
– Janac Meena
Jul 13 '18 at 13:52
Non Interactive Approach (Oct'18)
for recent debian based systems
There's a distinction between adding a cert to the host's store and activating it so that applications really utilize those. An existing cert in the store isn't necessarily used (although i have to admit that still a lot of packages are getting it wrong anyway)
This can get confusing when you setup a package which considers /etc/ca-certificate.conf and simply refuses to use your cert although it has been added without error.
You need to tell update-ca-certificates explicitly to (not just copy but) activate the cert by adding it to /etc/ca-certificate.conf or /etc/ca-certificate/update.d.
CERT=mycert.crt
cp /mypath/to/$CERT /usr/share/ca-certificates/$CERT
# notice the + sign which tells to activate the cert!!!
echo "+$CERT" >/etc/ca-certificates/update.d/activate_my_cert
dpkg-reconfigure ca-certificates;
Now here it gets confusing as there's a way to implicitly trust a certificate by using a different path:
CERT=mycert.crt
cp /mypath/to/$CERT /usr/local/share/ca-certificates/$CERT
update-ca-certificates;
sudo cp my.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates
These 2 lines above does not work with me at the first time.
After investigation, it turned out that many certificates are excludes in /etc/ca-certificates.conf because the line starts by !
So i have to remove the 1st character in all lines which starts by !
sudo sed -i '/^!/s/^.//g' /etc/ca-certificates.conf
sudo update-ca-certificates
Now curl works without the need of --cacert option !!
