Skip to content

Add CA certificate on CentOS Debian Ubuntu

Add self-signed certificate to certificate trust authority.

  • Copy the .crt certificate file:

    • On CentOS:

      • to /etc/pki/ca-trust/source/anchors/

    • On Debian and Ubuntu:

      • to /usr/local/share/ca-certificates/

  • Run the command:

    • On CentOS:

      • update-ca-trust extract

    • On Debian and Ubuntu:

      • update-ca-certificates

Note: CA file must be PEM format and have CRT extension (mycert.pem - fails, mycert.pem.crt - fails, mycert.crt - works).

Applications use several methods to access system CA certificates:

  • OpenSSL-based applications use the /etc/ssl/certs directory as the system trust store. If you don't want to run any extra commands, you can simply mount a PEM file containing your CA bundle to /etc/ssl/certs/ca-certificates.crt in the container, and the container will trust those CA certificates. Note that in this case, if you want to trust the Web PKI, your ca-certificates.crt file will have to include all Web PKI CAs as well as your own.
  • NSS uses a hard-coded list of trusted CA certificates inside the libnssckbi.so library, and it stores user-supplied certificates in SQL databases inside $HOME/.pki/nssdb or /etc/pki/nssdb.
  • Java applications use a special Java Keystore file.
  • Some applications don't trust any system trust store, or they have their own independent trust store or need to be configured with a CA bundle filename. For example, servers that need to validate client certificates will require a CA bundle be passed in as a config parameter.

https://smallstep.com/blog/automate-docker-ssl-tls-certificates/

Check if certificate is trusted by Debian

echo | openssl s_client -connect dc.company.com:636 2>/dev/null | openssl x509 > /tmp/ldaps.crt
openssl verify /tmp/ldaps.crt
This will verify the certificate against the installed trusted root certificates. If the certificate is trusted, the output should be: 
/tmp/ldaps.crt: OK
If the certificate is untrusted, there will be an error message.

Compare two certificate files

diff /path/on/server/certificate.crt /tmp/ldaps.crt

Verify the certificate against a specific CA certificate

openssl verify -CAfile /usr/local/share/ca-certificates/companyCA.crt server.crt

This command will verify the server.crt file against the CA certificate. If successful, it should print server.crt: OK. If the system shows server.crt: OK, that means the certificate is verified under the CA.

Certificate chain of trust

You have to supply endpoint and intermediate certificates in one file. You do not need to include the root certificate in the certificate chain that you serve, since clients already have the root certificate in their trust stores.

-----BEGIN CERTIFICATE-----
Endpoint PEM certificate
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
intermedisate PEM certificate
-----END CERTIFICATE-----

If you have only endpoint certificate you could generate full chain on https://whatsmychaincert.com/

This file you then use in nginx ssl_certificate option.

You could test public site SSL on: - https://www.ssllabs.com/ - https://www.sslshopper.com/ssl-checker.html - https://www.whynopadlock.com/ - https://comodosslstore.com/ssltools/ssl-checker.php

For internal site you could test with openssl s_client -connect yourwebsite.com:443