11

I am generating a self-signed certificate for a development server but I need it to be trusted in order to use some of the tools that will be using the certificate.

This is what I have tried:

openssl req -newkey rsa:2048 -x509 -nodes -keyout /etc/ssl/private/server.key -new -out /etc/ssl/certs/server.crt -reqexts v3_req -extensions v3_req -config /vagrant/openssl.san.conf -sha256 -days 1825

ln --symbolic /etc/ssl/certs/server.crt /etc/pki/ca-trust/source/anchors/server.crt

update-ca-trust extract

I tried grepping the ca-bundle.crt file for the contents of server.crt after running the update-ca-trust command but it wasn't there.

I have also tried copying the file instead of making a symlink but that did not work either.

The certificate is created correctly and works for Apache but it produces the self-signed error:

[vagrant@localhost certs]$ curl --head https://localhost/
curl: (60) Issuer certificate is invalid.
More details here: http://curl.haxx.se/docs/sslcerts.html

How can I trust my self-signed certificate on the command line on the server?

rink.attendant.6
  • 44,500
  • 61
  • 101
  • 156

2 Answers2

2

Your problem is that update-ca-trust accepts only certificates marked as CA. There is a X.509 extension called Basic Constraints which is used to mark whether a certificate belongs to a CA or not. update-ca-trust silently skips those not marked as CA.

Check your certificate for the CA constraint:

openssl x509 -noout -text -in <cert_file> | grep "CA:TRUE"

The CA:TRUE can be set using the OpenSSL config.

Yuri
  • 4,254
  • 1
  • 29
  • 46
1

I simply issue the following command and fill my private DNS name in Common Name section.

openssl req  -new -x509 -newkey rsa:2048 -nodes  -keyout ca.key -days 365 -out ca.crt

After the following commands, the self-signed certificate will be trust.

cp ca.crt /etc/pki/ca-trust/source/anchors/
update-ca-trust extract
Weshome
  • 11
  • 2