Install a root certificate in CentOS 6
Solution 1
On my RHEL 6 box the man 8 update-ca-trust
manual page has a pretty extensive explanation on how the system-wide CA certificates and associated trusts can/should be managed.
More often then not configuration is application specific as the comments above indicate.
Solution 2
I wrote some command lines so it is more accessible to novice in SSL:
Navigate to the PKI Folder
$ cd /etc/pki/tls/certs/
VERIFY (hard) links and Backup certificates
$ cp ca-bundle.crt /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem.bak
$ cp ca-bundle.trust.crt /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt.bak
Upload CA chain to CentOS
$ scp <cachain> root@sydapp28:/tmp
Connect to CentOS via SSH (Putty?) or local
$ ssh -C root@sydapp28
IF PKCS12 CAChain: “Convert your Internal CA chain certificate to PEM format & remove headers”:
$ cd /tmp ; openssl pkcs12 -nodes -in <cachain.pfx.p12> | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > cachain.pem
Append your Internal CA to CentOS
$ cat /tmp/cachain.pem >> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
$ cat /tmp/cachain.pem >> /etc/pki/ca-trust/extracted/pem/ca-bundle.trust.crt
$ reboot
John White
Updated on September 18, 2022Comments
-
John White over 1 year
I know it has been already asked, but despite many hours of research I couldn't find a working solution. I am trying to install my root certificate in my server, so internal service can bind to each other using SSL.
What should know about the new root CA:
- Apache httpd and PHP
- OpenLDAP client
- Node.js
For Apache I need a PHP application to know about the root certificate, so if a site connects to another SSL website (signed by the same CA) it works fine and it doesn't complain about a self-signed certificate.
For OpenLDAP I believe it's the same as PHP, the module it uses is quite old, it's Net_LDAP2, installed with PEAR. I tried editing the local openldap configuration, but it looks like the system is not using it.
Last Node.js, which I use for parsoid. The node.js servers have to trust the CA in order to make a good SSL connection.
I tried adding the certificate to /etc/pki/tls/certs/ca-bundle.crt with little success.
While httpd doesn't see the root CA, I managed to make other services work with it, like tomcat and 389.
Thank you for your support.
-
Aaron Copley over 10 yearsWhat exactly have you tried? This is pretty easily researched stuff as it is pretty commonly done. If we know why you are having trouble, we might be able to give a better answer than
SSLCACertificateFile
in/etc/httpd/conf.d/ssl.conf
,TLS_CACERT
in/etc/openldap/ldap.conf
(OpenLDAP Client),TLSCACertificateFile
in/etc/openldap/slapd.conf
(OpenLDAP Server), etc.. -
John White over 10 yearsApache httpd is the main reason why I posted this question. I think it reads system-wide certificates. But editing them didn't work.
-
John White over 10 yearsNo such manual for CentOS. I believe the two systems have different admin tools.
-
HBruijn over 10 yearsThey're mostly alike but it's small differences like that that always trip my up. It's part of the ca-certificates rpm. A copy of the man page can be found here
-
8None1 almost 10 yearsMy CentOS 6.5 has man page for update-ca-trust. @Mc120k do you have ca-certificates-2013 installed?