We have two methods to use update-ca-trust or trust anchor to add a CA certificate on Linux.
We need to install the ca-certificates package first with the command yum install ca-certificates.
Understanding Root CA certificate
SSL certificates operate on a structure called the certificate chain — a network of certificates starting back at the issuing company of the certificate, also known as a certificate authority (CA). These certificates consist of root certificates, intermediate certificates, and leaf (server) certificates.
As for Root CA certificates, these are certificates that are self-signed by their respective CA (as they have the authority to do so). Every valid SSL certificate is under a Root CA certificate, as these are trusted parties.
Do we need install CA certificate?
Typically, we don’t need to install a Root CA certificate, as they are included in web browsers’ trust stores and are even pre-installed on some operating systems.
This allows our computer to be able to tell whether or not a certificate is invalid, because if its root certificate isn’t on their trusted root CA list, then it’ll warn us that the certificate is not a trusted one.
Using update-ca-trust to install a CA certificate
- Copy the CA certificate to the directory /etc/pki/ca-trust/source/anchors/:# cp rapidSSL-ca.crt /etc/pki/ca-trust/source/anchors/
- Extract a CA certificate to the list of trusted CA’s:# update-ca-trust
- Verify the SSL certificate:# openssl verify server.crt server.crt : OK
Using trust anchor to add a CA certificate
Run trust anchor –store by specifying CA certificate:# trust anchor –store ca.crt
Check the list of trusted CA’s
# trust list
pkcs11:id=%53%ca%17%59%fc%6b%c0%03%21%2f%1a
type: certificate
label: RapidSSL RSA CA 2018
trust: anchor
category: authority
..snip..
verify the server certificate:# openssl verify server.crt
server.crt : OK
If we want to remove the CA certificate, run trust anchor –remove as follows:
# trust anchor –remove pkcs11:id=%53%ca%17%59
or
# trust anchor –remove /etc/pki/ca-trust/source/RapidSSL_RSA_CA_2018.p11-kit
List all CA certificates in Linux
Once the ca certificate is added, the certificate is made available through the /etc/pki/ca-trust/extracted tree:
$ ls /etc/pki/ca-trust/extracted
edk2 java openssl pem README
Applications that look to this directory to verify certificates can use any of the formats provided. The update command handles the copies, conversions, and consolidation for the different formats.
The man page for update-ca-trust has more information about the directory structure, formats, and ways that certificates are accessed.
We have a quick way to list all of the certificate subjects in the bundle is with the following awk and openssl commands:
$ awk -v cmd=’openssl x509 -noout -subject’ ‘/BEGIN/{close(cmd)};{print | cmd}’ < /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
Related:
- Exploring SSL Certificate Chain with Examples
- Understanding X509 Certificate with Openssl Command
- OpenSSL Command to Generate View Check Certificate
- Converting CER CRT DER PEM PFX Certificate with Openssl
- SSL vs TLS and how to check TLS version in Linux
- Understanding SSH Key RSA DSA ECDSA ED25519
- Understanding server certificates with Examples