TransWikia.com

update-ca-trust extract not adding certificates to ca-bundle

Unix & Linux Asked by rGA145 on December 8, 2021

CentOS Linux release 7.6.1810 (Core)
Kernel 5.1.11-1.el7.elrepo.x86_64

I put a cert-file to /etc/pki/ca-trust/source/anchors

File looks like that:

-----BEGIN CERTIFICATE-----
MIIDojCCAoqgAwIBAgIQeqkpty5ghoxP8YfCRe+7qjANBgkqhkiG9w0BAQUFADBP
some strings
FnpKVwAq6UcYOu4AoXweaqOOMsLNSw==
-----END CERTIFICATE-----

And after update-ca-trust extract I expect to see my cert in the bundle-file /etc/pki/tls/certs/ca-bundle.crt but there was nothing new in it. And ls -al show me latest edit time, so It was changed 2 monts ago, not now.

Initially I try this with .crt file. But renaming .crt to .pem didn’t solve my problem.
I also tried update-ca-trust enable and update-ca-trust force-enable before extract, but it didn’t help.
/var/log/messages says nothing about that.

What I shell do to fix it?

4 Answers

In my case it was just because i was not using sudo

Copy the CA certificate to /etc/pki/ca-trust/source/anchors, then call below command

sudo update-ca-trust extract

After this check the exit code, should be 0

echo $?

OR grep CA certificate name in below file for confirmation

cat /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem | grep "CA-cert-name"

Answered by Tarun Kumar on December 8, 2021

1.get ca cert's issue

openssl x509 -in ca.crt -noout -text |grep -i "issue"

output like below:

Issuer: CN=something_strings

2.find issue in /etc/pki/tls/certs/ca-bundle.crt

grep -i "something_strings" /etc/pki/tls/certs/ca-bundle.crt

output like below:

something_strings

if you can get result, then your certs is added with success.

you need to reboot server for take affect.

Answered by user454606 on December 8, 2021

TL;DR

The update-ca-trust won't extract your certificate file to the ca-bundle.crt unless this succeeds:

openssl x509 -noout -text -in <cert_file> | grep --after-context=2 "X509v3 Basic Constraints" | grep "CA:TRUE"

I spent a few hours on this issue. Its root was in a X.509 extension called Basic Constraints which is used to mark whether a certificate belongs to a CA or not.

My humble findings:

  1. The update-ca-bundle tool is in fact a shell script, so it's easy to peek inside
  2. The script calls p11-kit utility multiple times each time using different filter and creating different bundle files.
  3. The file ca-bundle.crt is in fact a link from tls-ca-bundle.pem file which is generated by p11-kit using ca-anchors filter. So it ignores all certs besides "CA ones".
  4. If a certificate is or is not a CA is decided by Basic Constraints X.509 extension. This way it's possible to mark a certificate as a part of a CA.
  5. It's possible to list all X.509 extensions using openssl x509 -noout -text -in <cert_file>
  6. So any certificate file not labelled as a part of a CA will be filtered out by p11-kit and not exported to the desired ca-bundle.crt file.

Feel free to correct this in comments.

Answered by Yuri on December 8, 2021

I don't know exactly what you are asking but the steps below work for me. I enable 'ca trust', copy over the file, extract, and then verify.

$ update-ca-trust enable
$ cp ZScalar.pem /etc/pki/ca-trust/source/anchors/
cp: overwrite ‘/etc/pki/ca-trust/source/anchors/ZScalar.pem’? yes
$ update-ca-trust extract
$ openssl verify  ZScalar.crt
ZScalar.crt: OK

If these steps don't work please post the output of the "openssl verify" command and I might be able to direct you further.

To add to this, extracted certs go to "/etc/pki/ca-trust/extracted/openssl" or "/etc/pki/ca-trust/extracted/pem".

Answered by Jeight on December 8, 2021

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP