If your backend components or application servers use a custom CA (Certificate Authority), then you may need to add it to the system trusted root certificate store so that the standard tools and other utilities trust the TLS communication.
Create directory
sudo mkdir -p /usr/share/ca-certificates/extra cd $_
Create new certificates on filesystem
Put your new .crt file into the ‘extra’ directory created in the previous step. Note this ‘.crt’ file should be a single certificate in text format:
- ensure it is not binary DER
- ensure it does not have multiple certificates in a single file like PEM
Add new certificates
# adds your new 'extra' certs to ca-certificates.conf sudo dpkg-reconfigure ca-certificates # GUI will come up # Select 'Yes' to trust new certs # Select checkbox for certs added to 'extra' directory # verify cert from 'extra' was added grep extra /etc/ca-certificates.conf
Commit changes
sudo update-ca-certificates
Now, standard utilities like wget/curl will trust communication rooted at this new certificate authority.
If you need to add certificate trust to Chrome or Firefox browsers on Linux, they both use their own internal certificate stores, see the section “Browser Evaluation” of my other article.
REFERENCES
stackoverflow, adding ca CentOS7
confirm.ch, adding new trusted ca for ubuntu/rhel/centos also using ansible playbook
serverfault, dpkg DEBIAN_FRONTEND=noninteractive and debconf
NOTES
Public and globally trusted root certificates can be installed using the standard
sudo apt-get install ca-certificates -y
Checking
# verify certs using specific CA openssl verify -CAfile ca.pem cert.pem # verify cert using list of system root certs openssl verify cert.pem
To do full refresh of certificates
sudo update-ca-certificates --fresh