Adding (self Signed Certificates

• Find Self Signed Certificate

It would be good to know if the trustStore management is the section used to manage self signed third party certificates, and if there are any additional steps required after adding the certificate to the trustStore. Note that, depending on how the certificate is configured and how you add it, this may allow your self-signed certificate to sign certificates for any domain. (This is not something you want.) – duskwuff Feb 4 '16 at 19:48.

The simple answer to this is that pretty much each application will handle it differently. Also OpenSSL and GNUTLS (the most widely used certificate processing libraries used to handle signed certificates) behave differently in their treatment of certs which also complicates the issue. Also operating systems utilize different mechanisms to utilize 'root CA' used by most websites.

That aside, giving Debian as an example. Install the ca-certificates package: apt-get install ca-certificates You then copy the public half of your untrusted CA certificate (the one you use to sign your CSR) into the CA certificate directory (as root): cp cacert.pem /usr/share/ca-certificates And get it to rebuild the directory with your certificate included, run as root: dpkg-reconfigure ca-certificates and select the ask option, scroll to your certificate, mark it for inclusion and select ok.

Most browsers use their own CA database, and so tools like certutil have to be used to modify their contents (on Debian that is provided by the libnss3-tools package). For example, with Chrome you run something along the lines of: certutil -d sql:$HOME/.pki/nssdb -A -t 'C,' -n 'My Homemade CA' -i /path/to/CA/cert.file Firefox will allow you to browse to the certificate on disk, recognize it a certificate file and then allow you to import it to Root CA list.

Find Self Signed Certificate

Most other commands such as curl take command line switches you can use to point at your CA, curl -cacert /path/to/CA/cert.file or drop the SSL validation altogether curl -insecure The rest will need individual investigation if the ca-certificates like trick does not sort it for that particular application. Non Interactive Approach (Oct'18) for recent debian based systems The approach of just copying a cert file and calling update-ca-certificate isn't working anymore. There's a distinction between adding a cert to the host's store and activating it so that applications really utilize those. An existing cert in the store isn't necessarily used (although i have to admit that still a lot of packages are getting it wrong anyway) This can get confusing when you setup a package which considers /etc/ca-certificate.conf and simply refuses to use your cert although it has been added without error. You need to tell update-ca-certificates explicitly to (not just copy but) activate the cert by adding it to /etc/ca-certificate.conf. #!/bin/bash CERT=mycert.crt cp /mypath/to/$CERT /usr/local/share/ca-certificates/$CERT # notice the + sign which tells to activate the cert!!!

Echo '+$CERT' /etc/ca-certificates/update.d/activatemycert update-ca-certificates; By the way, activating a cert is exactly what dpkg-reconfigure ca-certificates is doing.