CentOS 7.x add ca or host certificate as trusted certificate at OS level
From Notes_Wiki
Home > CentOS > CentOS 7.x > System Administration > Certificate management > CentOS 7.x add ca or host certificate as trusted certificate at OS level
Various utilities such as wget or curl refer to certificate trust managed by OS. A few other applications especially web browsers (eg firefox, chrome, etc.) maintain their own certificate bundle. To add a CA or host certificate as trusted at OS level so that command such as:
wget https://<FQDN>
do not throw error similar to:
Unable to locally verify the issuer's authority
and require use of tool specific options such as '--no-check-certificate' to work around the issue.
- First we need access to remote servers certificate. For example in case of httpd certificate location should be mentioned in /etc/httpd/conf.d/ssl.conf or some other similar httpd confing file.
- Other option is to download certificate from remote server using openssl using Openssl#Download_server_certificate_directly_from_server
- Copy downloaded certificate to below folder
- cd /etc/pki/ca-trust/source/anchors/
- This is for certifiates in PEM and DER format which have -----BEGIN CERTIFICATE-----. In case of certificates that use extended BEGIN TRUSTED copy it to parent folder:
- cd /etc/pki/ca-trust/source
- Run following command as root user to update certificate trust to include above added certificates as trusted
- update-ca-trust
- Test again with
- wget https://<fqdn>
- If test fails validate whether
- Certificate on remote is not expired. Typically curl shows more descriptive errors in compared to wget on https failures:
- curl https://<fqdn>
- Certificate FQDN is matching
- If possible generate a matching FQDN certificate using Openssl#Creating_self-signed_pem_certificates_for_HTTPS and try again
- Certificate on remote is not expired. Typically curl shows more descriptive errors in compared to wget on https failures:
Home > CentOS > CentOS 7.x > System Administration > Certificate management > CentOS 7.x add ca or host certificate as trusted certificate at OS level