10

I am fairly new to this but I've done some internet research the last 2 days and I couldn't find an suitable answer.

I have been given a ca-certificate chain (cacertchain.crt) which I need to import to a server running RHEL7 (no GUI). The server has the ca-bundle.crt file. I have tried to put cacertchain.crt to /etc/pki/ca-trust/source/anchors/ and run update-ca-trust and update-ca-trust extract but I couldn't see any changes to the ca-bundle.crt file.

So my question: is there a way of importing a ca-certificate chain (.crt) to RHEL7 keystore?

The certificate chain (cacertchain.crt) includes:

Root Certificate Subject CN - VeriSign Class 3 Public Primary Certification Authority - G5 (I believe this is already available in ca-bundle.crt)

Intermediate Certificate Subject CN - Symantec Class 3 EV SSL CA - G3

Community
  • 1
daelas
  • 311
  • 1
  • 2
  • 7
  • Import it where? – Michael Hampton Dec 01 '15 at 12:58
  • I just want to add/import it to the server's trusted keystore. As far as I understand for RHEL7 would be the ca-bundle.crt file. I could be wrong though. – daelas Dec 01 '15 at 13:06
  • 1
    For what purpose? There is no global keystore on Linux operating systems. – Michael Hampton Dec 01 '15 at 13:37
  • In addition to Michael's comment, some of the default applications Red Hat ships do use a central location, as documented in [RHEL solution 1549003](https://access.redhat.com/solutions/1549003), but many more do not and will need an application specific configuration... – HBruijn Dec 01 '15 at 14:54
  • Thanks for pointing it out, I though ca-bundle.crt was used as a global keystore. The certs are required by an httpd application (for external connections). – daelas Dec 01 '15 at 14:59

4 Answers4

11

I appears by including the ca-cert bundle in /etc/pki/ca-trust/source/ and running update-ca-trust extract worked fine.

daelas
  • 311
  • 1
  • 2
  • 7
  • In my case I needed to install an intermediate (instead of a Root) cert, on release 7.6. After a look at a README file in /etc/pki/ca-trust, I opted for putting the cert retrieved from CA's website into `/usr/share/pki/ca-trust-source/anchors/` and then run just `update-ca-trust` and it worked fine for me. Also quick tip to help verify results: `trust list | grep label ; trust list | grep label | wc -l` – Justin Mar 19 '21 at 21:52
5

Copy the certificates to /etc/pki/ca-trust/source/anchors/ and after that execute update-ca-trust extract.

They should be available to all application that check that path for certificates (for example wget and curl).

Yuri
  • 220
  • 1
  • 6
cristi
  • 573
  • 4
  • 18
1

3 steps works for me on this cases:

  1. certificate to /etc/pki/ca-trust/source/anchors/
  2. update-ca-trust force-enable
  3. update-ca-trust extract
Judavi
  • 21
  • 3
1

Disambiguation

I think the given answers and comments are mixing up two different cases.

Accoding to /etc/pki/ca-trust/source/README:

This directory /etc/pki/ca-trust/source/ contains CA certificates and 
trust settings in the PEM file format. The trust settings found here will be
interpreted with a high priority - higher than the ones found in 
/usr/share/pki/ca-trust-source/.

=============================================================================
QUICK HELP: To add a certificate in the simple PEM or DER file formats to the
            list of CAs trusted on the system:

            Copy it to the
                    /etc/pki/ca-trust/source/anchors/
            subdirectory, and run the
                    update-ca-trust
            command.

            If your certificate is in the extended BEGIN TRUSTED file format,
            then place it into the main source/ directory instead.
=============================================================================

Please refer to the update-ca-trust(8) manual page for additional information.

Note this paragraph:

If your certificate is in the extended BEGIN TRUSTED file format, then place it into the main source/ directory instead.

In case you want to install a .crt file:

  1. Copy:

    cp extendedcert.crt /etc/pki/ca-trust/source/

  2. Apply:

    update-ca-trust

In case you want to install a .cer file:

  1. Copy:

    cp simplecert.cer /etc/pki/ca-trust/source/anchors/

  2. Apply:

    update-ca-trust
stackprotector
  • 596
  • 1
  • 8
  • 27