Difference between revisions of "User:Grawity/Adding a trusted CA certificate"

From ArchWiki
Jump to navigation Jump to search
(reorder sections)
Line 1: Line 1:
 
{{warning|''Do not'' put files directly in {{ic|/etc/ssl/certs}}. It is not enough, as Java & GnuTLS won't see any certificates installed this way.}}
 
{{warning|''Do not'' put files directly in {{ic|/etc/ssl/certs}}. It is not enough, as Java & GnuTLS won't see any certificates installed this way.}}
  
== System-wide (update-ca-certificates) ==
+
== Personal – NSS (Chromium, Firefox) ==
  
Previously, Arch Linux used the Debian-style ca-certificates scripts. These instructions therefore still work for Debian and Ubuntu.
+
Chromium, Firefox, SeaMonkey use NSS for retrieving trusted CAs. They should pick up any certificates used system-wide, but you can install certificates into your own browser profile as well. Use {{ic|certutil}} for this:
  
The Debian-style ''update-ca-certificates'' requires certificates in PEM format (the text format with {{ic|BEGIN CERTIFICATE}} headers). If you have a file in binary (DER) format, use {{ic|openssl x509}} to convert it:
+
certutil -d ''database'' -A -i ''myCA.cert'' -n "Honest Achmed's CA" -t C,,
  
openssl x509 -inform DER < ''myCA''.crt > ''myCA_pem''.crt
+
Chromium uses the "shared" database at {{ic|-d "sql:$HOME/.pki/nssdb"}}.
  
To install:
+
For Firefox and SeaMonkey, specify the browser's own profile directory (e.g. {{ic|-d ~/.mozilla/firefox/ov6jazas.default}}).
 
 
# Copy the certificate to the {{ic|/usr/local/share/ca-certificates}} directory (mkdir if needed). The file name must end with {{ic|.crt}}.
 
# Run {{ic|update-ca-certificates}} as root.
 
 
 
For more information, see the {{ic|update-ca-certificates(8)}} manual page.
 
  
 
== System-wide (update-ca-trust) ==
 
== System-wide (update-ca-trust) ==
Line 25: Line 20:
 
For more information, see the {{ic|update-ca-trust(8)}} manual page.
 
For more information, see the {{ic|update-ca-trust(8)}} manual page.
  
== Personal &ndash; NSS (Chromium, Firefox) ==
+
== System-wide (update-ca-certificates) ==
 +
 
 +
Previously, Arch Linux used the Debian-style ca-certificates scripts. These instructions therefore still work for Debian and Ubuntu.
 +
 
 +
The Debian-style ''update-ca-certificates'' requires certificates in PEM format (the text format with {{ic|BEGIN CERTIFICATE}} headers). If you have a file in binary (DER) format, use {{ic|openssl x509}} to convert it:
  
Chromium, Firefox, SeaMonkey use NSS for retrieving trusted CAs. They should pick up any certificates used system-wide, but you can install certificates into your own browser profile as well. Use {{ic|certutil}} for this:
+
openssl x509 -inform DER < ''myCA''.crt > ''myCA_pem''.crt
  
certutil -d ''database'' -A -i ''myCA.cert'' -n "Honest Achmed's CA" -t C,,
+
To install:
  
Chromium uses the "shared" database at {{ic|-d "sql:$HOME/.pki/nssdb"}}.
+
# Copy the certificate to the {{ic|/usr/local/share/ca-certificates}} directory (mkdir if needed). The file name must end with {{ic|.crt}}.
 +
# Run {{ic|update-ca-certificates}} as root.
  
For Firefox and SeaMonkey, specify the browser's own profile directory (e.g. {{ic|-d ~/.mozilla/firefox/ov6jazas.default}}).
+
For more information, see the {{ic|update-ca-certificates(8)}} manual page.

Revision as of 12:19, 4 April 2015

Warning: Do not put files directly in /etc/ssl/certs. It is not enough, as Java & GnuTLS won't see any certificates installed this way.

Personal – NSS (Chromium, Firefox)

Chromium, Firefox, SeaMonkey use NSS for retrieving trusted CAs. They should pick up any certificates used system-wide, but you can install certificates into your own browser profile as well. Use certutil for this:

certutil -d database -A -i myCA.cert -n "Honest Achmed's CA" -t C,,

Chromium uses the "shared" database at -d "sql:$HOME/.pki/nssdb".

For Firefox and SeaMonkey, specify the browser's own profile directory (e.g. -d ~/.mozilla/firefox/ov6jazas.default).

System-wide (update-ca-trust)

Currently Arch Linux uses the Fedora-style ca-certificates scripts.

  1. Copy the certificate to the /etc/ca-certificates/trust-source/anchors directory.
  2. Run update-ca-trust as root.

For more information, see the update-ca-trust(8) manual page.

System-wide (update-ca-certificates)

Previously, Arch Linux used the Debian-style ca-certificates scripts. These instructions therefore still work for Debian and Ubuntu.

The Debian-style update-ca-certificates requires certificates in PEM format (the text format with BEGIN CERTIFICATE headers). If you have a file in binary (DER) format, use openssl x509 to convert it:

openssl x509 -inform DER < myCA.crt > myCA_pem.crt

To install:

  1. Copy the certificate to the /usr/local/share/ca-certificates directory (mkdir if needed). The file name must end with .crt.
  2. Run update-ca-certificates as root.

For more information, see the update-ca-certificates(8) manual page.