1

I'm trying to install the public CA certificate of a 3rd party service, onto a Debian instance. I'm doing this so that the SSL certificate of the 3rd party service that I'm connecting to can be validated as a trusted authority.

I have a public .pem certificate. I've copied it into /usr/local/share/ca-certificates on the instance. I then create a .crt version of the certificate using openssl like this:

openssl x509 -outform der -in MYCERTIFICATE.pem -out MYCERTIFICATE.crt

I then run an update of ca-certificates using sudo update-ca-certificates (from within the /usr/local/share/ca-certificates directory).

If I then view the certificates in /etc/ssl, I see MYCERTIFICATE.pem listed, but if I inspect all of the 'subject' headings in the ca-certificates.crt using the following, I don't see the subject line of my certificate listed:

awk -v cmd='openssl x509 -noout -subject' '
    /BEGIN/{close(cmd)};{print | cmd}' < /etc/ssl/certs/ca-certificates.crt

If my understanding is correct, I should see the subject of my certificate listed here for it to be recognised as a certificate that needs to be referenced in order to verify the certificate being supplied by the 3rd party service I'm connecting to? Is this correct, and if so, why isn't my certificate being listed in ca-certificates.crt?

Chris Halcrow
  • 233
  • 2
  • 12
  • 3
    The certs in the directory /etc/ssl/certs or file .../ca-certificates.crt used by OpenSSL **must be PEM format**; DER format data is not recognized and discarded as a 'comment'. `update-ca-certificates` apparently doesn't check this, and the man page doesn't specify (unlike the RedHat equivalent `update-ca-trust`); I think this is a defect and you should get back every penny you paid for it :-) Also to be clear, the 'CA' certs used by OpenSSL for chain validation by default must specifically be _root_ CA certs, not just any CA certs. – dave_thompson_085 Feb 01 '21 at 02:29

0 Answers0