.oO turn on ~ tune in ~ drop out Oo.
Manage Trust Store CA Certificates
.tech
Manage Trust Store CA Certificates
How to manage Trust Store CA Certificates in Linux
.tech

Manage Trust Store CA Certificates

Custom SSL certificates require trusted CAs in the system-wide certificate trust store, if no dedicated trust store is used. These CAs might not be installed by default or might not get updated automatically, so here are two options to manage missing CA certificates in Linux.

Each installed CA consists of 3 parts, we need to take care of:

  • a .crt file located at /usr/share/ca-certs/mozilla/
  • a .pem file located at /etc/ssl/certs/
  • a .0 hash file located at /etc/ssl/certs/

Option 1

Ensure that the package for common CA certificates is installed:

sudo apt-get install ca-certificates

The default certificate trust store is located at /etc/ssl/certs and will be managed via the ca-certificates package which contains common CAs from Mozilla’s CA Certificate Program. The current trust store can also be reviewed in the source code repository.

You can update the /etc/ssl/certs directory by using the update-ca-certificate program. It generates or reads the /etc/ca-certificates.conf file, a consolidated list of certificates. Each line gives a pathname of a CA certificate under /usr/share/ca-certificates which should be trusted.

sudo update-ca-certificates -f

If you need to add custom CAs which are not available in the trust store, you need to download the CA file (PEM encoded) and copy the file using a descriptive name to the /usr/local/share/ca-certificates/ directory. Be sure to use a .crt filename extension like Sectigo_RSA_Domain_Validation_Secure_Server_CA.crt

Update the system-wide CA database and be sure to select and accept the new certificates in the shown list (combination of /usr/share/ca-certificates/ and
/usr/local/share/ca-certificates):

sudo dpkg-reconfigure ca-certificates

Check the if the new CA certificate file (.pem) and the hash file (.0) has been added to /etc/ssl/certs.

  • Verify your certificate, its certificate chain and specify the system-wide trust store as CApath:
openssl verify -show_chain -CApath /etc/ssl/certs mycert.pem

Option 2

If you cannot use the ca-certificates package, you can also create files, links and hashes manually:

  • Download the needed CA file(s) (PEM encoded) to your system. If you’re not sure which CAs need to be installed, check my other post How to get Issuer CA Certificates of a Custom Certificate
  • Copy the file using a descriptive name to the /usr/local/share/ca-certificates/ directory. Be sure to use a .crt filename extension like Sectico_RSA_Domain_Validation_Secure_Server_CA.crt
  • Link the file(s) to the system folder
cd /usr/share/ca-certificates/
sudo ln -s Sectico_RSA_Domain_Validation_Secure_Server_CA.crt /etc/ssl/certs/Sectico_RSA_Domain_Validation_Secure_Server_CA.pem
  • Create a 8-byte subject hash value of the CA, append it to a .0 suffix and link the file(s):
cd /etc/ssl/certs/
sudo ln -s Sectico_RSA_Domain_Validation_Secure_Server_CA.pem `openssl x509 -hash -noout -in Sectico_RSA_Domain_Validation_Secure_Server_CA.pem`.0

-noout This option omits an output of an encoded certificate
-in This option reads a certificate from a specified input file
x509 Multi purpose certificate utility, can be used to display certificate information, convert certificates, sign certificate requests or edit certificate trust settings
-hash Synonym for -subject_hash
-subject_hash Prints the subject hash value

  • Verify your certificate, its certificate chain and specify the system-wide trust store as CApath:
openssl verify -show_chain -CApath /etc/ssl/certs mycert.pem

Additional Notes

https://www.openssl.org/docs/man3.0/man1/openssl-verification-options.html

https://docs.infor.com/ln/10.5/it-it/lnolh/help/tt/onlinemanual/https_soap_generate_hash.html

https://www.openssl.org/docs/manmaster/man3/X509_LOOKUP_hash_dir.html

The certificate directory should contain one certificate or CRL per file in PEM format, with a filename of the form hash.N for a certificate, or hash.rN for a CRL.

The .N or .rN suffix is a sequence number that starts at zero, and is incremented consecutively for each certificate or CRL with the same hash value. Gaps in the sequence numbers are not supported, it is assumed that there are no more objects with the same hash beyond the first missing number in the sequence.

Sequence numbers make it possible for the directory to contain multiple certificates with same subject name hash value. For example, it is possible to have in the store several certificates with same subject or several CRLs with same issuer (and, for example, different validity period).

OpenSSL includes a openssl-rehash(1) utility which creates symlinks with hashed names for all files with .pem suffix in a given directory.

https://www.openssl.org/docs/man3.0/man1/openssl-rehash.html