Hello. I got an email from a customer saying that they will be switching to verisign certificates, and I need to add the new Root Certificate to my server. So I saved the text of the new root cert as newroot.crt. But how do I add it to /usr/share/ssl/certs/ca-bundle.crt?

I used cat newroot.crt >> ./ca-bundle.crt, but that just results in the base64 encoded text of newroot.crt being appended to the end of ca-bundle.crt. There isn't any of that descriptive text above the entry like serial number, validity, CN, etc. (is that stuff necessary?)

I've got to get this done before the end of October so any help would be much appreciated. Thanks.

My first question is what are they using the certs for and how does this involve you?

Not that I'm aware, but I'm not an expert.

As long as the rest of the file is composed of certs in pem format then you should be ok with what you did.

pem has "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----"

Like I said, I'm not an expert but my guess is that your customer has you chasing ghosts.

Hi Rustek,

It's for TLS between our 2 email servers. I have to update the ca-bundle.crt file because its based off a cert bundle that dates back to 2000! So it's a good idea for me to update the cert bundle with the new Verisign Root CA.

I suspect you may be right about the validity, seriel number , etc being unnessary. Anyway, I found the answer on another thread. The command is:

openssl x509 -in <yourCA>.crt -text >> /usr/share/ssl/certs/ca-bundle.crt

Yay!