How to add a root CA?

parkingmeter

I'm having trouble installing a root CA certificate. I thought I had figured this out, as I had gotten this to work on a previous Solus install, I wrote the process down on GitHub. I'm trying to get Chrome on a new machine to accept a server cert signed by my Root CA; but following the instructions I wrote down are is no longer working.

I have the Root CA cert linked in /etc/ssl/certs, and I added the cert information including fingerprints into /etc/ssl/certs/ca-certificates.crt; but Chrome still does not accept the server certificate signed by the CA cert I added. I've triple checked I'm using valid certs. Note that the hash values (file names created by c_rehash) for the cert files between the [old]working machine and the [new]failing machine are the same.

Thanks for any help!

gray380

Hi,

I faced the same issue.
I've copied the *pem files to the /etc/ssl/certs then run c_rehash . and cat *.0 > ca-certificates.crt.
But Chrome/Firefox does not see these certs.

Any suggestions?

BTW trust list shows these certs.
Best regards
Serhiy.

parkingmeter

Hi @gray380 I was able to use the certutil program to manage my local certs. In Solus, I found the nssdb to add the certs to in my $HOME/.pki/nssdb. I use the https://www.linux.org/docs/man1/certutil.html documentation and here is an example of listing my cert after having added it:
`parkingmeter@tiberius / $ certutil -L -d sql:/home/parkingmeter/.pki/nssdb

Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI

parkingmeter-Sub-CA C,,`

I hope that helps!

parkingmeter

You didn't ask for this, but after maintaining scripts and infrastructure to manage lab certs for a year or so I switched to using LetsEncrypt with a reverse proxy to simplify my certificate workload. This assumes you get updates for the ca-certs Solus package, which I assume would be really hard to live on the internet without, but relying on eopkg is a lot easier 😛