User:Grawity/Adding a trusted CA certificate
/etc/ssl/certs
. It is not enough, as Java & GnuTLS won't see any certificates installed this way.Personal – NSS (Chromium, Firefox)
Chromium, Firefox, Thunderbird, Evolution, SeaMonkey use NSS for retrieving trusted CAs.
Arch's (and Fedora's) NSS packages are integrated with p11-kit, so they should automatically pick up any certificates used system-wide. But if you prefer (or if your distro uses "pure" NSS), you can install certificates into your own browser profile as well – use certutil
for this:
certutil -d database -A -i myCA.cert -n "Honest Achmed's CA" -t C,,
Chromium and Evolution use the "shared" database at -d "sql:$HOME/.pki/nssdb"
.
For Firefox, Thunderbird, and SeaMonkey, specify the browser's own profile directory (e.g. -d ~/.mozilla/firefox/ov6jazas.default
).
System-wide – Arch, Fedora (p11-kit)
Currently Arch Linux uses p11-kit from Fedora, which has more features (e.g. explicit distrusts) than the older scripts from Debian. To import a trust anchor using p11-kit, do:
- Run
trust anchor --store myCA.crt
as root.
The certificate will be written to /etc/ca-certificates/trust-source/myCA.p11-kit
and the "legacy" directories automatically updated.
If you get "no configured writable location" or a similar error, import the CA manually:
- Copy the certificate to the
/etc/ca-certificates/trust-source/anchors
directory. - Run
update-ca-trust
as root.
For more information, see the update-ca-trust(8)
manual page.
Fedora
Same as above, but the general location is /etc/pki/ca-trust/source
(and the manual installation path is /etc/pki/ca-trust/source/anchors
).
System-wide – Debian, Ubuntu (update-ca-certificates)
The Debian-style update-ca-certificates requires certificates in PEM format (the text format with BEGIN CERTIFICATE
headers). If you have a file in binary (DER) format, use openssl x509
to convert it:
openssl x509 -inform DER < myCA.crt > myCA_pem.crt
To install:
- Copy the certificate to the
/usr/local/share/ca-certificates
directory (mkdir if needed). The file name must end with.crt
. - Run
update-ca-certificates
as root.
For more information, see the update-ca-certificates(8)
manual page.