How to add Certificate Authority file in CentOS 7
Ssl CertificateCaSsl Certificate Problem Overview
I am trying to add certificate Authority (CA) file name - ca.crt to /etc/ssl/certs, for that I followed this article.
I copied my ca.crt file to /etc/pki/ca-trust/source/anchors/ and run the command below;
update-ca-trust extract
After that I checked /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt file, but I didn't find my CA.
I am not able to figure out what may be the problem.
What am I doing wrong and how can I fix it?
Ssl Certificate Solutions
Solution 1 - Ssl Certificate
copy your certificates inside
/etc/pki/ca-trust/source/anchors/
then run the following command
update-ca-trust
Solution 2 - Ssl Certificate
Find *.pem file and place it to the anchors sub-directory or just simply link the *.pem file to there.
yum install -y ca-certificates
update-ca-trust force-enable
sudo ln -s /etc/ssl/your-cert.pem /etc/pki/ca-trust/source/anchors/your-cert.pem
update-ca-trust
Solution 3 - Ssl Certificate
Your CA file must have been in a binary X.509 format instead of Base64 encoding; it needs to be a regular DER or PEM in order for it to be added successfully to the list of trusted CAs on your server.
To proceed, do place your CA file inside your /usr/share/pki/ca-trust-source/anchors/ directory, then run the command line below (you might need sudo privileges based on your settings);
# CentOS 7, Red Hat 7, Oracle Linux 7
update-ca-trust
Please note that all trust settings available in the /usr/share/pki/ca-trust-source/anchors/ directory are interpreted with a lower priority compared to the ones placed under the /etc/pki/ca-trust/source/anchors/ directory which may be in the extended BEGIN TRUSTED file format.
For Ubuntu and Debian systems, /usr/local/share/ca-certificates/ is the preferred directory for that purpose.
As such, you need to place your CA file within the /usr/local/share/ca-certificates/ directory, then update the of trusted CAs by running, with sudo privileges where required, the command line below;
update-ca-certificates
Solution 4 - Ssl Certificate
QUICK HELP 1: To add a certificate in the simple PEM or DER file formats to the list of CAs trusted on the system:
-
add it as a new file to directory /etc/pki/ca-trust/source/anchors/
-
run update-ca-trust extract
QUICK HELP 2: If your certificate is in the extended BEGIN TRUSTED file format (which may contain distrust/blacklist trust flags, or trust flags for usages other than TLS) then:
- add it as a new file to directory /etc/pki/ca-trust/source/
- run update-ca-trust extract
More detail infomation see man update-ca-trust
Solution 5 - Ssl Certificate
Maybe late to the party but in my case it was RHEL 6.8:
Copy certificate.crt issued by hosting to:
/etc/pki/ca-trust/source/anchors/
Then:
update-ca-trust force-enable (ignore not found warnings)
update-ca-trust extract
Hope it helps
Solution 6 - Ssl Certificate
Complete instruction is as follow:
- Extract Private Key from PFX
openssl pkcs12 -in myfile.pfx -nocerts -out private-key.pem -nodes
- Extract Certificate from PFX
openssl pkcs12 -in myfile.pfx -nokeys -out certificate.pem
- install certificate
yum install -y ca-certificates,
cp your-cert.pem /etc/pki/ca-trust/source/anchors/your-cert.pem ,
update-ca-trust ,
update-ca-trust force-enable
Hope to be useful