Install self generated CA certificate into Linux OS

Posted on by Bian Xi

Install self generated CA certificate into Linux OS

To trust self generated CA from client system, following steps can be used.

Retrieve CA certificate from server

Copy from CA certificate using browser

Click on lock icron beside address bar of browser, then view certificates.

Copy from server,

The self generated CA certificate normally can be found in server, such as xxxx.ca.crt.

Run command to retrieve from service

Following command will print out CA certificate, remove unnecessary lines, such as DONE, if any.

Note: I haven't validated the certificate retrieved using this method.

openssl s_client -showcerts -connect [server_address]:[port] < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'

Install CA certificate

Copy CA certificate into /usr/local/share/ca-certificates directory, such as xxxx.ca.crt, then run update-ca-certificates command to update system CA, then restart impacted service.

cp <xxxx.ca.crt> /usr/local/share/ca-certificates
update-ca-certificates
systemctl restart <service>

Note: the certificate file name must be .crt

Test CA

Run following command, should return 0 (ok) as below.

openssl s_client -connect server_address:443 -CApath /etc/ssl/certs

...
Verify return code: 0 (ok)

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>


The reCAPTCHA verification period has expired. Please reload the page.