Linux: Place own/custom certificates in /etc/ssl/certs

Hi,

sometimes it is necessary to add an own root/intermediate CA top your machine CA store.


It consists of three steps. Get the certificate, generate a hash of the ceritificate and create an symlink hash -> certificate.

For example the QuoVadis Global SSL ICA G3 certificate.

Get the certificate in pem (base64) format

root@debdev ~ # wget https://www.quovadisglobal.com/wp-content/files/media/quoVadisglobalsslicag3-pem.pem -O /etc/ssl/certs/quoVadis_global_ssl_ica_g3.pem

If you have a certificate in binary or rather in der format you must convert it to pem format.

root@debdev ~ # openssl x509 -inform der -in /home/quoVadis_global_ssl_ica_g3.crt -out /etc/ssl/certs/quoVadis_global_ssl_ica_g3.pem

Generate the hash

root@debdev ~ # openssl x509 -hash -noout -in /etc/ssl/certs/quoVadis_global_ssl_ica_g3.pem
35e514f6

and create an symlink hash to certificate (append .0 to the hash)

root@debdev ~ # ln -s /etc/ssl/certs/quoVadis_global_ssl_ica_g3.pem /etc/ssl/certs/35e514f6.0
35e514f6

Test (my_uoVadis_global_ssl_ica_g3_signed_certificate.pem is a certificate signed by QuoVadis Global SSL ICA G3)

root@debdev:~/ #  openssl verify -verbose -CApath /etc/ssl/certs -verbose my_uoVadis_global_ssl_ica_g3_signed_certificate.pem
my_uoVadis_global_ssl_ica_g3_signed_certificate.pem: OK

Michael

Leave a Reply Cancel reply