Unix & Linux Asked by rGA145 on December 8, 2021
CentOS Linux release 7.6.1810 (Core)
Kernel 5.1.11-1.el7.elrepo.x86_64
I put a cert-file to /etc/pki/ca-trust/source/anchors
File looks like that:
-----BEGIN CERTIFICATE-----
MIIDojCCAoqgAwIBAgIQeqkpty5ghoxP8YfCRe+7qjANBgkqhkiG9w0BAQUFADBP
some strings
FnpKVwAq6UcYOu4AoXweaqOOMsLNSw==
-----END CERTIFICATE-----
And after update-ca-trust extract
I expect to see my cert in the bundle-file /etc/pki/tls/certs/ca-bundle.crt
but there was nothing new in it. And ls -al
show me latest edit time, so It was changed 2 monts ago, not now.
Initially I try this with .crt
file. But renaming .crt
to .pem
didn’t solve my problem.
I also tried update-ca-trust enable
and update-ca-trust force-enable
before extract, but it didn’t help.
/var/log/messages
says nothing about that.
What I shell do to fix it?
In my case it was just because i was not using sudo
Copy the CA certificate to /etc/pki/ca-trust/source/anchors
, then call below command
sudo update-ca-trust extract
After this check the exit code, should be 0
echo $?
OR grep CA certificate name in below file for confirmation
cat /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem | grep "CA-cert-name"
Answered by Tarun Kumar on December 8, 2021
1.get ca cert's issue
openssl x509 -in ca.crt -noout -text |grep -i "issue"
output like below:
Issuer: CN=something_strings
2.find issue in /etc/pki/tls/certs/ca-bundle.crt
grep -i "something_strings" /etc/pki/tls/certs/ca-bundle.crt
output like below:
something_strings
if you can get result, then your certs is added with success.
you need to reboot server for take affect.
Answered by user454606 on December 8, 2021
TL;DR
The update-ca-trust
won't extract your certificate file to the ca-bundle.crt
unless this succeeds:
openssl x509 -noout -text -in <cert_file> | grep --after-context=2 "X509v3 Basic Constraints" | grep "CA:TRUE"
I spent a few hours on this issue. Its root was in a X.509 extension called Basic Constraints which is used to mark whether a certificate belongs to a CA or not.
My humble findings:
update-ca-bundle
tool is in fact a shell script, so it's easy to peek insidep11-kit
utility multiple times each time using different filter and creating different bundle files.ca-bundle.crt
is in fact a link from tls-ca-bundle.pem
file which is generated by p11-kit
using ca-anchors
filter. So it ignores all certs besides "CA ones".openssl x509 -noout -text -in <cert_file>
p11-kit
and not exported to the desired ca-bundle.crt
file.Feel free to correct this in comments.
Answered by Yuri on December 8, 2021
I don't know exactly what you are asking but the steps below work for me. I enable 'ca trust', copy over the file, extract, and then verify.
$ update-ca-trust enable
$ cp ZScalar.pem /etc/pki/ca-trust/source/anchors/
cp: overwrite ‘/etc/pki/ca-trust/source/anchors/ZScalar.pem’? yes
$ update-ca-trust extract
$ openssl verify ZScalar.crt
ZScalar.crt: OK
If these steps don't work please post the output of the "openssl verify" command and I might be able to direct you further.
To add to this, extracted certs go to "/etc/pki/ca-trust/extracted/openssl" or "/etc/pki/ca-trust/extracted/pem".
Answered by Jeight on December 8, 2021
Get help from others!
Recent Questions
Recent Answers
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP