Linux update CA certificates

最後更新: 2017-06-01

目錄

  • Ubuntu
  • Centos 6
  • Folder
  • Centos 7

Ubuntu

 

update-ca-certificates

 

 


Centos 6

 

update-ca-trust - manage consolidated and dynamic configuration of CA certificates and associated trust

for new applications that read the consolidated configuration files found in the /etc/pki/ca-trust/extracted directory or

that load the PKCS#11 module p11-kit-trust.so

# Install

yum install ca-certificates

# 獲得: update-ca-trust

# /usr/share/pki/ca-trust-source/   <-- contain CA certificates and trust settings in the PEM file format. (low priority)

# /etc/pki/ca-trust/source/            <-- High priority than "/usr/share/pki/ca-trust-source/"

Usage

# To add a certificate in the simple PEM or DER file formats to the list of CAs trusted on the system:

1. add it as a new pem file to directory

cp my.pem /etc/pki/ca-trust/source/anchors

2.

update-ca-trust

3. 在 /etc/pki/ca-trust/extracted/ 建立 file

update-ca-trust extract

Files(Output File)

"update-ca-trust" 就是更新它們

/etc/pki/tls/certs/ca-bundle.crt                 # simple BEGIN/END CERTIFICATE file format

# COMODO RSA Certification Authority
-----BEGIN CERTIFICATE-----
MIIF2DCCA8CgAwIBAgIQTKr5yttjb+Af907Y...
...
-----END CERTIFICATE-----

# ACCVRAIZ1
-----BEGIN CERTIFICATE-----
MIIH0zCCBbugAwIBAgIIXsO3pkN/pOAwDQYJ...
...

/etc/pki/tls/certs/ca-bundle.trust.crt         # extended BEGIN/END TRUSTED CERTIFICATE file format

/etc/pki/ca-trust/extracted                       # Created using the "update-ca-trust extract"

ls /etc/pki/ca-trust/extracted

java  openssl  pem  README

 


Folder

 

Simple trust anchors subdirectory:

/usr/share/pki/ca-trust-source/anchors/

/etc/pki/ca-trust/source/anchors/             # '/etc' override any other default configuration

Extended format directory:

/usr/share/pki/ca-trust-source/

/etc/pki/ca-trust/source/

/etc/pki/ca-trust/extracted/

Contains consolidated and automatically generated configuration files for consumption by applications,

which are created using the "update-ca-trust extract" command.

If your certificate is in the extended "BEGIN TRUSTED" file format

(which may contain distrust/blacklist trust flags, or trust flags for usages other than TLS) then:

add it as a new file to directory /etc/pki/ca-trust/source/anchors/

 


Centos 7 add trusted certificate

 

方法 1

yum install ca-certificates

update-ca-trust

方法 2

當"方法 1" 唔 work 時, 就要用以下方案

To add a certificate in the simple PEM or DER file formats to the list of CAs trusted on the system:

cp foo.crt /etc/pki/ca-trust/source/anchors/

OR

cp foo.ca-bundle.crt /etc/pki/ca-trust/source/anchors/

update-ca-trust extract

Remark: 獲得 CA Cert. 的方法

Open a webpage that uses the CA with Firefox

Click the lock-icon in the addressbar -> show information -> show certificate

The certificate viewer will open

click details and choose the certificate of the certificate-chain, you want to import to CentOS

click "Export..." and save it as .crt file