SUDO UPDATE INSTALL
To do this, install p11-kit and libnss3 (if they are not already instealled): sudo apt-get update & sudo apt-get install -y p11-kit libnss3 The following is a script to find them all, back them up, and replace them with links to p11-kit: sudo apt-get update & sudo apt-get install -y p11-kit libnss3įind / -type f -name "libnssckbi.so" 2>/dev/null | while read line do There seem to be more versions of libnssckbi.so out there than just in libnss3. p11-kit offers a drop-in replacement for libnssckbi.so that acts as an adapter to the system-wide root certificates installed in /etc/ssl/certs. Libnss3 by default ships with a read-only set of root CA certificates ( libnssckbi.so), so most of the time you need to manually add them yourself to the local user trust store located in $HOME/.pki/nssdb. You do not need to touch /etc/ssl/certs directly.īuilding on dwmw2's answer, you can actually tell applications that use NSS for its certificate management to use the system trust store. crt extension found below /usr/local/share/ca-Ĭertificates are also included as implicitly trusted.įrom the above, I would infer that the preferred way to get local certificate files into the trusted store is to put them into /usr/local/share/ca-certificates, and then run update-ca-certificates. crtĮxtension in order to be included by update-ca-certificates.įurthermore all certificates with a. Lines that begin with "!" are deselected,Ĭausing the deactivation of the CA certificate in question. With "#" are comment lines and thus ignored. Each line gives a pathname of a CAĬertificate under /usr/share/ca-certificates that should be trusted. Man update-ca-certificates: update-ca-certificates is a program that updates the directory /etc/ssl/certs to hold SSLĬertificates and generates ca-certificates.crt, a concatenated single-file list of
SUDO UPDATE CODE
Second, look for the verify return code at the end to be set to 0 (ok).
This tells you that the server is presenting a certificate signed by the CA you're installing. This should show the CA as the issuer (next to i:). The first thing to look for is the certificate chain near the top of the output. I:/C=US/ST=Virginia/O=Whatever, snip lots of output.
$ openssl s_client -connect :443 -CApath /etc/ssl/certsĭepth=1 C = US, ST = Virginia, O = "Whatever, Inc.", CN =, emailAddress = return:1ĭepth=0 C = US, ST = Virginia, L = Arlington, O = "Whatever, Inc.", CN = Ġ s:/C=US/ST=Virginia/L=Arlington/O=Whatever, Inc./CN= You can also use OpenSSL's s_client by trying to connect to a server that you know is using a certificate signed by the CA that you just installed. You can verify if this worked by looking for the certificate that you just added in /etc/ssl/certs/ca-certificates.crt (which is just a long list of all of your trusted CA's concatenated together). ( Firefox Instructions, Chrome Instructions, Java Instructions) Testing The CA Some products may use other certificate stores if you use those products, you'll need to add this CA certificate to those other certificate stores, too. crt file extension.Ĭaveats: This installation only affects products that use this certificate store. Copy your certificate in PEM format (the format that has -BEGIN CERTIFICATE- in it) into /usr/local/share/ca-certificates and name it with a.
0 kommentar(er)
