Ubuntu - How do you add a certificate authority (CA) to Ubuntu? Ubuntu / Linux

Installing a CA

Copy your certificate in PEM format (the format that has ----BEGIN CERTIFICATE---- in it) into /usr/local/share/ca-certificates and name it with a .crt file extension.

Then run sudo update-ca-certificates.

Caveats: This installation only affects products that use this certificate store. Some products may use other certificate stores; if you use those products, you'll need to add this CA certificate to those other certificate stores, too. (Firefox Instructions, Chrome Instructions, Java Instructions)

Testing The CA

You can verify if this worked by looking for the certificate that you just added in /etc/ssl/certs/ca-certificates.crt (which is just a long list of all of your trusted CA's concatenated together).

You can also use OpenSSL's s_client by trying to connect to a server that you know is using a certificate signed by the CA that you just installed.

$ openssl s_client -connect foo.whatever.com:443 -CApath /etc/ssl/certsCONNECTED(00000003)depth=1 C = US, ST = Virginia, O = "Whatever, Inc.", CN = whatever.com, emailAddress = admin@whatever.comverify return:1depth=0 C = US, ST = Virginia, L = Arlington, O = "Whatever, Inc.", CN = foo.whatever.comverify return:1---Certificate chain 0 s:/C=US/ST=Virginia/L=Arlington/O=Whatever, Inc./CN=foo.whatever.com   i:/C=US/ST=Virginia/O=Whatever, Inc./CN=whatever.com/emailAddress=admin@whatever.com... snip lots of output ...    Key-Arg   : None    PSK identity: None    PSK identity hint: None    SRP username: None    Start Time: 1392837700    Timeout   : 300 (sec)    Verify return code: 0 (ok)

The first thing to look for is the certificate chain near the top of the output. This should show the CA as the issuer (next to i:). This tells you that the server is presenting a certificate signed by the CA you're installing.

Second, look for the verify return code at the end to be set to 0 (ok).


덧글

댓글 입력 영역