Add Internal CA to System Store

lioh · 10-02-2019, 03:14 AM

Hi all,

I am trying to add our internal CA to the system store of my Slackware -current box in order to use e.g. programs like curl without complaining about missing Certs.

For this I have copied the CA cert to /etc/ssl/certs and created a symlink like:

ln -s my-ca.crt \
`openssl x509 -noout -hash -in my-ca.crt`.0

Afterwards I run update-ca-certificates --fresh and hoped that the CA cert would have been added. But:

openssl crl2pkcs7 -nocrl -certfile ca-certificates.crt | openssl pkcs7 -print_certs -text -noout

does not contain my-ca Cert. Am I missing a step or is this the wrong approach to add an internal CA to the system certificate store?

Greetings

Lioh

lioh · 10-02-2019, 03:23 AM

In the meanwhile I have figured out (by looking at the update-ca-certificates script) that it works when I create a directory /usr/local/share/ca-certificates and copy the my-ca.crt into that.

update-ca-certificates --fresh will then create the symlinks accordingly and ln -s my-ca.crt `openssl x509 -noout -hash -in my-ca.crt`.0 is run automatically.

Afterwards ca-certificates.crt also contains my-ca.crt

Still curl does not seem to to use the system store, but wget does. Any idea on that?

ponce · 10-02-2019, 04:08 AM

curl uses its own certs bundle generated from the upstream mozilla's ones (/usr/share/curl/ca-bundle.crt, some infos about it are at the beginning of the file) but it can be configured differently, also via the command line (in "man curl" check the --ca* and --cert* options).