Revisions to Adding a self-signed certificate to the "trusted list"

Wrong path corrected, added a different scenario to add a cert implicitly trusted.

Source Link

edited Dec 2, 2018 at 19:10

211
2
4

Non Interactive Approach (Oct'18)
for recent debian based systems

The approach of just copying a cert file and calling update-ca-certificate isn't working anymore. There's a distinction between adding a cert to the host's store and activating it so that applications really utilize those. An existing cert in the store isn't necessarily used (although i have to admit that still a lot of packages are getting it wrong anyway)
This can get confusing when you setup a package which considers /etc/ca-certificate.conf and simply refuses to use your cert although it has been added without error. You need to tell update-ca-certificates explicitly to (not just copy but) activate the cert by adding it to /etc/ca-certificate.conf or /etc/ca-certificate/update.d.

#!/bin/bash

CERT=mycert.crt
cp /mypath/to/$CERT /usr/local/share/ca-certificates/$CERT
    # notice the + sign which tells to activate the cert!!!
echo "+$CERT" >/etc/ca-certificates/update.d/activate_my_cert
updatedpkg-reconfigure ca-certificates;

By theNow here it gets confusing as there's a way, activating to implicitly trust a cert is exactly what dpkg-reconfigure ca-certificates is doing.certificate by using a different path:

CERT=mycert.crt
cp /mypath/to/$CERT /usr/local/share/ca-certificates/$CERT
update-ca-certificates;

Non Interactive Approach (Oct'18)
for recent debian based systems

The approach of just copying a cert file and calling update-ca-certificate isn't working anymore. There's a distinction between adding a cert to the host's store and activating it so that applications really utilize those. An existing cert in the store isn't necessarily used (although i have to admit that still a lot of packages are getting it wrong anyway)
This can get confusing when you setup a package which considers /etc/ca-certificate.conf and simply refuses to use your cert although it has been added without error. You need to tell update-ca-certificates explicitly to (not just copy but) activate the cert by adding it to /etc/ca-certificate.conf.

#!/bin/bash

CERT=mycert.crt
cp /mypath/to/$CERT /usr/local/share/ca-certificates/$CERT
    # notice the + sign which tells to activate the cert!!!
echo "+$CERT" >/etc/ca-certificates/update.d/activate_my_cert
update-ca-certificates;

By the way, activating a cert is exactly what dpkg-reconfigure ca-certificates is doing.

Non Interactive Approach (Oct'18)
for recent debian based systems

There's a distinction between adding a cert to the host's store and activating it so that applications really utilize those. An existing cert in the store isn't necessarily used (although i have to admit that still a lot of packages are getting it wrong anyway)
This can get confusing when you setup a package which considers /etc/ca-certificate.conf and simply refuses to use your cert although it has been added without error. You need to tell update-ca-certificates explicitly to (not just copy but) activate the cert by adding it to /etc/ca-certificate.conf or /etc/ca-certificate/update.d.

CERT=mycert.crt
cp /mypath/to/$CERT /usr/share/ca-certificates/$CERT
    # notice the + sign which tells to activate the cert!!!
echo "+$CERT" >/etc/ca-certificates/update.d/activate_my_cert
dpkg-reconfigure ca-certificates;

Now here it gets confusing as there's a way to implicitly trust a certificate by using a different path:

CERT=mycert.crt
cp /mypath/to/$CERT /usr/local/share/ca-certificates/$CERT
update-ca-certificates;

addition

Source Link

edited Oct 7, 2018 at 14:52

3ronco

211
2
4

Non Interactive Approach (Oct'18)
for recent debian based systems

The approach of just copying a cert file and calling update-ca-certificate isn't working anymore. There's a distinction between adding a cert to the host's store and activating it so that applications really utilize those. An existing cert in the store isn't necessarily used (although i have to admit that still a lot of packages are getting it wrong anyway)
This can get confusing when you setup a package which considers /etc/ca-certificate.conf and simply refuses to use your cert although it has been added without error. You need to tell update-ca-certificates explicitly to (not just copy but) activate the cert by adding it to /etc/ca-certificate.conf.

#!/bin/bash

CERT=mycert.crt
cp /mypath/to/$CERT /usr/local/share/ca-certificates/$CERT
    # notice the + sign which tells to activate the cert!!!
echo "+$CERT" >/etc/ca-certificates/update.d/activate_my_cert
update-ca-certificates;

By the way, activating a cert is exactly what dpkg-reconfigure ca-certificates is doing.

Non Interactive Approach (Oct'18)
for recent debian based systems

The approach of just copying a cert file and calling update-ca-certificate isn't working anymore. There's a distinction between adding a cert to the host's store and activating it so that applications really utilize those. An existing cert in the store isn't necessarily used (although i have to admit that still a lot of packages are getting it wrong anyway)
This can get confusing when you setup a package which considers /etc/ca-certificate.conf and simply refuses to use your cert although it has been added without error. You need to tell update-ca-certificates explicitly to (not just copy but) activate the cert by adding it to /etc/ca-certificate.conf.

#!/bin/bash

CERT=mycert.crt
cp /mypath/to/$CERT /usr/local/share/ca-certificates/$CERT
    # notice the + sign which tells to activate the cert!!!
echo "+$CERT" >/etc/ca-certificates/update.d/activate_my_cert
update-ca-certificates;

Non Interactive Approach (Oct'18)
for recent debian based systems

The approach of just copying a cert file and calling update-ca-certificate isn't working anymore. There's a distinction between adding a cert to the host's store and activating it so that applications really utilize those. An existing cert in the store isn't necessarily used (although i have to admit that still a lot of packages are getting it wrong anyway)
This can get confusing when you setup a package which considers /etc/ca-certificate.conf and simply refuses to use your cert although it has been added without error. You need to tell update-ca-certificates explicitly to (not just copy but) activate the cert by adding it to /etc/ca-certificate.conf.

#!/bin/bash

CERT=mycert.crt
cp /mypath/to/$CERT /usr/local/share/ca-certificates/$CERT
    # notice the + sign which tells to activate the cert!!!
echo "+$CERT" >/etc/ca-certificates/update.d/activate_my_cert
update-ca-certificates;

By the way, activating a cert is exactly what dpkg-reconfigure ca-certificates is doing.

Source Link

answered Oct 7, 2018 at 14:46

3ronco

211
2
4

Non Interactive Approach (Oct'18)
for recent debian based systems

The approach of just copying a cert file and calling update-ca-certificate isn't working anymore. There's a distinction between adding a cert to the host's store and activating it so that applications really utilize those. An existing cert in the store isn't necessarily used (although i have to admit that still a lot of packages are getting it wrong anyway)
This can get confusing when you setup a package which considers /etc/ca-certificate.conf and simply refuses to use your cert although it has been added without error. You need to tell update-ca-certificates explicitly to (not just copy but) activate the cert by adding it to /etc/ca-certificate.conf.

#!/bin/bash

CERT=mycert.crt
cp /mypath/to/$CERT /usr/local/share/ca-certificates/$CERT
    # notice the + sign which tells to activate the cert!!!
echo "+$CERT" >/etc/ca-certificates/update.d/activate_my_cert
update-ca-certificates;

Stack Exchange Network

Return to Answer