4

I'm running Ubuntu 18.04 on Windows Subsystem for Linux 2. I am making a curl request to a web service running on the Windows side using a self-signed certificate. I receive this error:

curl: (60) SSL certificate problem: unable to get local issuer certificate

I'd like to add the cert to the local store. I have a .pfx file available. I know I can use -k but I want to use other command line tools against this server.

How do I do this?

My own trials

openssl s_client -showcerts -servername server -connect server:443 > foo.pem
openssl x509 -in foo.pem -inform PEM -out foo.crt
sudo cp foo.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates

This looks plausible but didn't work, curl still has the same complaint.

I also tried to use a DER version.

sudo rm /usr/local/share/ca-certificates/windows_cert.crt
openssl x509 -in windows_cert.pem -inform PEM -out windows_cert_der.crt -outform DER
sudo cp windows_cert_der.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates

Give up

Don't worry, I started following some of the replies here.

https://askubuntu.com/questions/73287/how-do-i-install-a-root-certificate

But got nowhere, its obviously a very hard problem in the world of computing.

I've found that a few months back they added a switch to the command line tool I need to use that ignores certificate problems.

Community
  • 1
Luke Puplett
  • 939
  • 3
  • 16
  • 24

2 Answers2

2

You can use the openssl command to convert nearly any certificate format to another. PFX is another name for a pkcs12 container.

If you can extract the cert in PEM format curl should be able to use it.

openssl pkcs12 -in cert.pfx -clcerts -out cert.pem

This may ask you for a password which will be the one used to secure the PKCS12 file

You want to use the output cert.pem file with the --cacert curl command line option not -k

hardillb
  • 1,552
  • 2
  • 12
  • 23
  • Wonderful, thanks. Can you elaborate on "installing" the certificate into a store so its trusted by any client tool? – Luke Puplett Feb 18 '20 at 12:39
  • You might want to try putting the DER encoded file in `/usr/share/ca-certificates` rather than in `/usr/local...` – hardillb Feb 18 '20 at 12:46
  • The `-clcerts` option is for client certificates. Didn't you guys mean `-cacerts`? By the way, not every pfx contains the certificate chain, unless of course the certificate is self-signed. – Gerrit Feb 18 '20 at 13:22
  • 2
    I don't really know what I mean, I don't know about certificates, I just want tools running on Ubuntu to trust my development HTTPS website with a self-signed certificate. I literally don't care how its done, I just need my life back. – Luke Puplett Feb 18 '20 at 13:37
  • I'm suggesting that the `update-ca-certificate` tool is not looking in the `/usr/local/share/ca-certificate` directory and you should put your cert into `/usr/share/ca-certificate` for it to be added to the trusted set – hardillb Feb 18 '20 at 13:44
  • @user188737 no, the OP said it was a self signed cert it shouldn't matter which you use, but using the client cert covers the situation you mentioned of not having a CA chain. – hardillb Feb 18 '20 at 13:45
  • Hello, I converted my .pfx certificate this way but after opening it in KDE GUI, I can't unlock the new .pem cert because it said - password is wrong. I used same password/passphrase everywhere pasting it, so not sure what password is needed. – Psijic Aug 12 '21 at 08:16
2

Under the Debian family the distribution way of handling a trust certificate is as follows (reverse engineered by looking at update-ca-certificates):

I will use myca as a standin name for your ca (or self-signed) cert and myca.crt as the file with the certificate (DER or PEM). The .crt is mandatory.

  • Make directory under /usr/share/ca-certificates
    • mkdir /usr/share/ca-certificates/myca
  • Put the ca.crt in it
    • cp ./ca.crt /usr/share/ca-certificates/myca/
  • Run dpkg-reconfigure ca-certificates, choose ask to selectively add new trust anchors and select in the second screen your new myca/myca.crt and press OK
    • dpkg-reconfigure ca-certificates

To do it more programmatically

After you made the directory and put your cert in:

echo myca/myca.crt >> /etc/ca-certificates.conf
/usr/sbin/update-ca-certificates

This last method does not record the configure setting in /var/cache/debconf/config.dat so if you run dpkg-reconfigure ca-certificates or update the ca-certificates package, your new trust anchor may disappear again. Running update-ca-certificates is safe.

To get only the certificate from a pfx with self-signed certificate:

openssl pkcs12 -in my.pfx -nokeys -out myca.crt

And enter the password to open the pfx.

Adding a self-signed certificate to the root level central trust repository does mean that everyone who possesses its private key gets ways to do MITM attacks on your server.

Gerrit
  • 1,552
  • 8
  • 8