Adding a self-signed certificate to the "trusted list"

  • I've generated a self-signed certificate for my build server and I'd like to globally trust the certificate on my machine, as I created the key myself and I'm sick of seeing warnings.

    I'm on Ubuntu 12.04. How can I take the certificate and globally trust it so that browsers (Google Chrome), CLI utilities (wget, curl), and programming languages (Python, Java, etc.) trust the connection to without asking questions?

    All the TLS should be vectored through OpenSSL, so that's the place to look for documentation. In this case: looks useful.

  • Drav Sloan

    Drav Sloan Correct answer

    7 years ago

    The simple answer to this is that pretty much each application will handle it differently.

    Also OpenSSL and GNUTLS (the most widely used certificate processing libraries used to handle signed certificates) behave differently in their treatment of certs which also complicates the issue. Also operating systems utilize different mechanisms to utilize "root CA" used by most websites.

    That aside, giving Debian as an example. Install the ca-certificates package:

    apt-get install ca-certificates

    You then copy the public half of your untrusted CA certificate (the one you use to sign your CSR) into the CA certificate directory (as root):

    cp cacert.pem /usr/share/ca-certificates

    And get it to rebuild the directory with your certificate included, run as root:

    dpkg-reconfigure ca-certificates

    and select the ask option, scroll to your certificate, mark it for inclusion and select ok.

    Most browsers use their own CA database, and so tools like certutil have to be used to modify their contents (on Debian that is provided by the libnss3-tools package). For example, with Chrome you run something along the lines of:

    certutil -d sql:$HOME/.pki/nssdb -A -t "C,," -n "My Homemade CA" -i /path/to/CA/cert.file

    Firefox will allow you to browse to the certificate on disk, recognize it a certificate file and then allow you to import it to Root CA list.

    Most other commands such as curl take command line switches you can use to point at your CA,

     curl --cacert  /path/to/CA/cert.file https://...

    or drop the SSL validation altogether

     curl --insecure https://...

    The rest will need individual investigation if the ca-certificates like trick does not sort it for that particular application.

    Also, as noted here, adding CA certificates for Java is likewise a separate matter.

    After copying the certificate to /usr/share/ca-certificates, I can't see it in the `dpkg-reconfigure ca-certificates` list. What am I doing wrong?

    @GeorgesDupéron That happened to me to. I resolved it by renaming the cert from `whatever.pem` to `whatever.crt`.

    FYI, I had a cert file named `.cer`, and that didn't work. I had to rename it to `.crt` for it to be recognized.

    I didn't need to install `ca-certificates` on Ubuntu 19.10.

    The file name has to match `/usr/share/ca-certificates/*.crt` in order to be picked by the utility.

License under CC-BY-SA with attribution

Content dated before 6/26/2020 9:53 AM