How to add trusted CA certificate on CentOS/Fedora
source link: https://www.devdungeon.com/content/how-add-trusted-ca-certificate-centosfedora
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Introduction
If you have ever tried to connect to a server using TLS, you might have run in to an error like this saying the certificate is untrusted:
curl: (60) SSL certificate problem: self signed certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
You could set your client to ignore self-signed certificates (e.g. -k
with curl
), but the better practice is to properly add that certificate
as a trusted certificate authority. We will look at how to do this
in Fedora/CentOS/RedHat. Current versions right now are Fedora 31 and CentOS 8.
Move the cert to proper location
Copy the certificate pem to /etc/pki/ca-trust/source/anchors
cp mycert.pem /etc/pki/ca-trust/source/anchors/mycert.pem
Update trusted certificates
After moving the cert to /etc/pki/ca-trust/source/anchors/
,
then run update-ca-trust
This will reload all of the trusted certificates, including the one you added.
Set up a test environment
This step is optional, but if you do not have a web server and SSL certificate already you may want to create one for testing. You will need two things: an SSL certificate and a web server.
Generate a self-signed cert
You can generate a self-signed SSL certificate using OpenSSL. Learn more on my turotial Creating self-signed SSL certificates with OpenSSL.
You can use this one command in the shell to generate a cert. Be sure to change localhost
if necessary. The hostname must match.
# Same thing but in different formatting
openssl \
req \
-newkey rsa:2048 -nodes \
-keyout key.pem \
-x509 -days 36500 -out cert.pem \
-subj "/C=US/ST=NRW/L=Earth/O=CompanyName/OU=IT/CN=localhost/[email protected]"
Run an HTTPS web server
Once you have the certificate and key, you can run a simple web server that uses the cert for testing.
One option is to use OpenSSL itself. For example:
# There is no directory index listing, so you must visit a specific file
# e.g. https://localhost:9999/certificate.pem
openssl s_server -key privkey.pem -cert certificate.pem -accept 5000 -WWW
You can also use Python Flask. This small example will always return a 404, but it will let you know if your SSL certificate is causing an error. Be sure to have the flask
package installed for Python and then run this Python code:
# pip install flask
from flask import Flask
Flask(__name__).run(ssl_context=('cert.pem', 'key.pem'))
Test the HTTPS request
You can use curl
to test whether the SSL certificate is trusted or not.
Try running:
# Or whatever hostname/port you are using
curl https://localhost:5000
If the certificate is not trusted you will get an error telling you so, and letting you know you can use -k
flag to ignore the error.
If it works, you should see the proper HTTP response with no error messages related to SSL.
To learn more about curl
, see my curl Tutorial.
Conclusion
After following this guide you should understand how to add an SSL/TLS certificate as a trusted certificate authority to prevent errors when connecting to a server and getting errors about self-signed certificates.
References
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK