Difference between revisions of "User:Grawity/Adding a trusted CA certificate"

From ArchWiki
Jump to navigation Jump to search
m (spelling fix)
(add Fedora)
 
Line 25: Line 25:
  
 
For more information, see the {{ic|update-ca-trust(8)}} manual page.
 
For more information, see the {{ic|update-ca-trust(8)}} manual page.
 +
 +
=== Fedora ===
 +
 +
Same as above, but the general location is {{ic|/etc/pki/ca-trust/source}} (and the manual installation path is {{ic|/etc/pki/ca-trust/source/anchors}}).
  
 
== System-wide – update-ca-certificates (Debian, Ubuntu) ==
 
== System-wide – update-ca-certificates (Debian, Ubuntu) ==

Latest revision as of 15:07, 3 May 2018

Warning: Do not put files directly in /etc/ssl/certs. It is not enough, as Java & GnuTLS won't see any certificates installed this way.

Personal – NSS (Chromium, Firefox)

Chromium, Firefox, Thunderbird, Evolution, SeaMonkey use NSS for retrieving trusted CAs. They should pick up any certificates used system-wide, but you can install certificates into your own browser profile as well. Use certutil for this:

certutil -d database -A -i myCA.cert -n "Honest Achmed's CA" -t C,,

Chromium and Evolution use the "shared" database at -d "sql:$HOME/.pki/nssdb".

For Firefox, Thunderbird, and SeaMonkey, specify the browser's own profile directory (e.g. -d ~/.mozilla/firefox/ov6jazas.default).

System-wide – p11-kit (Arch, Fedora)

Currently Arch Linux uses p11-kit from Fedora, which has more features (e.g. explicit distrusts) than the older scripts from Debian. To import a trust anchor using p11-kit, do:

  1. Run trust anchor --store myCA.crt as root.

The certificate will be written to /etc/ca-certificates/trust-source/myCA.p11-kit and the "legacy" directories automatically updated.

If you get "no configured writable location" or a similar error, import the CA manually:

  1. Copy the certificate to the /etc/ca-certificates/trust-source/anchors directory.
  2. Run update-ca-trust as root.

For more information, see the update-ca-trust(8) manual page.

Fedora

Same as above, but the general location is /etc/pki/ca-trust/source (and the manual installation path is /etc/pki/ca-trust/source/anchors).

System-wide – update-ca-certificates (Debian, Ubuntu)

Previously, Arch Linux used the Debian-style ca-certificates scripts. These instructions therefore still work for Debian and Ubuntu.

The Debian-style update-ca-certificates requires certificates in PEM format (the text format with BEGIN CERTIFICATE headers). If you have a file in binary (DER) format, use openssl x509 to convert it:

openssl x509 -inform DER < myCA.crt > myCA_pem.crt

To install:

  1. Copy the certificate to the /usr/local/share/ca-certificates directory (mkdir if needed). The file name must end with .crt.
  2. Run update-ca-certificates as root.

For more information, see the update-ca-certificates(8) manual page.