Adding a self-signed certificate to the "trusted list"
Solution 1
The simple answer to this is that pretty much each application will handle it differently.
Also OpenSSL and GNUTLS (the most widely used certificate processing libraries used to handle signed certificates) behave differently in their treatment of certs which also complicates the issue. Also operating systems utilize different mechanisms to utilize "root CA" used by most websites.
That aside, giving Debian as an example. Install the ca-certificates
package:
apt-get install ca-certificates
You then copy the public half of your untrusted CA certificate (the one you use to sign your CSR) into the CA certificate directory (as root):
cp cacert.crt /usr/share/ca-certificates
NOTE: Certificate needs to have .crt
extension for it to be picked up.
And get it to rebuild the directory with your certificate included, run as root:
dpkg-reconfigure ca-certificates
and select the ask
option, scroll to your certificate, mark it for inclusion and select ok.
Most browsers use their own CA database, and so tools like certutil
have to be used to modify their contents (on Debian that is provided by the libnss3-tools
package). For example, with Chrome you run something along the lines of:
certutil -d sql:$HOME/.pki/nssdb -A -t "C,," -n "My Homemade CA" -i /path/to/CA/cert.file
Firefox will allow you to browse to the certificate on disk, recognize it a certificate file and then allow you to import it to Root CA list.
Most other commands such as curl
take command line switches you can use to point at your CA,
curl --cacert /path/to/CA/cert.file https://...
or drop the SSL validation altogether
curl --insecure https://...
The rest will need individual investigation if the ca-certificates
like trick does not sort it for that particular application.
Solution 2
Non Interactive Approach
For use in a non-interactive context (e.g. a chef recipe) you can use the following sequence.
sudo cp my.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates
- Tested and works on debian 5/6 & Ubuntu 14.04.
- For more information, see
man update-ca-certificates
This method is preferred over @Drav's method, since /usr/share/
is typically reserved for files added by the OS / apt-get
.
Solution 3
On Fedora 23, add the .pem or .der file to /etc/pki/ca-trust/source/anchors/
and run sudo update-ca-trust extract
.
See man update-ca-trust
for details, e.g. whether to use /etc or /usr.
Solution 4
Non Interactive Approach (Oct'18)
for recent debian based systems
There's a distinction between adding a cert to the host's store and activating it so that applications really utilize those. An existing cert in the store isn't necessarily used (although i have to admit that still a lot of packages are getting it wrong anyway)
This can get confusing when you setup a package which considers /etc/ca-certificate.conf
and simply refuses to use your cert although it has been added without error.
You need to tell update-ca-certificates
explicitly to (not just copy but) activate the cert by adding it to /etc/ca-certificate.conf
or /etc/ca-certificate/update.d
.
CERT=mycert.crt
cp /mypath/to/$CERT /usr/share/ca-certificates/$CERT
# notice the + sign which tells to activate the cert!!!
echo "+$CERT" >/etc/ca-certificates/update.d/activate_my_cert
dpkg-reconfigure ca-certificates;
Now here it gets confusing as there's a way to implicitly trust a certificate by using a different path:
CERT=mycert.crt
cp /mypath/to/$CERT /usr/local/share/ca-certificates/$CERT
update-ca-certificates;
Solution 5
In centos:
cp *.pem /etc/pki/ca-trust/source/anchors/
update-ca-trust extract
Related videos on Youtube
Naftuli Kay
Updated on September 18, 2022Comments
-
Naftuli Kay over 1 year
I've generated a self-signed certificate for my build server and I'd like to globally trust the certificate on my machine, as I created the key myself and I'm sick of seeing warnings.
I'm on Ubuntu 12.04. How can I take the certificate and globally trust it so that browsers (Google Chrome), CLI utilities (wget, curl), and programming languages (Python, Java, etc.) trust the connection to
https://example.com
without asking questions?-
msw over 10 yearsAll the TLS should be vectored through OpenSSL, so that's the place to look for documentation. In this case: gagravarr.org/writing/openssl-certs/… looks useful.
-
-
Naftuli Kay about 10 yearsAlso, as noted here, adding CA certificates for Java is likewise a separate matter.
-
Karthik Bosan over 9 yearsAfter copying the certificate to /usr/share/ca-certificates, I can't see it in the
dpkg-reconfigure ca-certificates
list. What am I doing wrong? -
Hello World over 8 years@GeorgesDupéron That happened to me to. I resolved it by renaming the cert from
whatever.pem
towhatever.crt
. -
ortang over 8 yearsIt is better to copy the files to
/usr/local/share/ca-certificates/
as mentioned in the man pages -
KCD over 7 yearsFYI the A must be a
.crt
, I found.cert
claimed it was added but did not help -
Janac Meena almost 6 yearsWhen I do
openssl connect
should I be specifying this /anchors folder? I'm still getting an error "self signed certs
-
qxo almost 6 years
-
Tri Nguyen about 5 yearsFYI, I had a cert file named
.cer
, and that didn't work. I had to rename it to.crt
for it to be recognized. -
Boris Verkhovskiy over 4 yearsI didn't need to install
ca-certificates
on Ubuntu 19.10. -
Yuri over 4 yearsThe file name has to match
/usr/share/ca-certificates/*.crt
in order to be picked by the utility. -
FKEinternet over 3 yearsYou've just re-enabled all of the certs that were disabled, e.g., ones from bad actors or expired. That was not clever
-
psusi about 3 yearsdpkg-reconfigure only lists the existing certs under the mozilla subdirectory, not the one I added.
-
Flimzy over 2 yearsFor what it's worth, you can now add certs to Chrome via the Settings page, without the need for the certutil tool.