CentOS 7.x add ca or host certificate as trusted certificate at OS level

From Notes_Wiki
Revision as of 05:23, 15 March 2019 by Saurabh (talk | contribs) (Created page with "<yambe:breadcrumb self="Add ca or host certificate as trusted certificate at OS level">CentOS_7.x_certificate_management|Certificate Management</yambe:breadcrumb> =CentOS 7.x...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

<yambe:breadcrumb self="Add ca or host certificate as trusted certificate at OS level">CentOS_7.x_certificate_management|Certificate Management</yambe:breadcrumb>

CentOS 7.x add ca or host certificate as trusted certificate at OS level

Various utilities such as wget or curl refer to certificate trust managed by OS. A few other applications especially web browsers (eg firefox, chrome, etc.) maintain their own certificate bundle. To add a CA or host certificate as trusted at OS level so that command such as:

wget https://<FQDN>

do not throw error similar to:

Unable to locally verify the issuer's authority

and require use of tool specific options such as '--no-check-certificate' to work around the issue.

  1. First we need access to remote servers certificate. For example in case of httpd certificate location should be mentioned in /etc/httpd/conf.d/ssl.conf or some other similar httpd confing file.
    Other option is to download certificate from remote server using openssl using Openssl#Download_server_certificate_directly_from_server
  2. Copy downloaded certificate to below folder
    cd /etc/pki/ca-trust/source/anchors/
    This is for certifiates in PEM and DER format which have -----BEGIN CERTIFICATE-----. In case of certificates that use extended BEGIN TRUSTED copy it to parent folder:
    cd /etc/pki/ca-trust/source
  3. Run following command as root user to update certificate trust to include above added certificates as trusted
    update-ca-trust
  4. Test again with
    wget https://<fqdn>
  5. If test fails validate whether
    1. Certificate on remote is not expired. Typically curl shows more descriptive errors in compared to wget on https failures:
      curl https://<fqdn>
    2. Certificate FQDN is matching
    3. If possible generate a matching FQDN certificate using Openssl#Creating_self-signed_pem_certificates_for_HTTPS and try again


<yambe:breadcrumb self="Add ca or host certificate as trusted certificate at OS level">CentOS_7.x_certificate_management|Certificate Management</yambe:breadcrumb>