Stack Exchange Network
Stack Exchange network consists of 183 Q&A communities including
Stack Overflow
, the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.
Visit Stack Exchange
Unix & Linux Stack Exchange is a question and answer site for users of Linux, FreeBSD and other Un*x-like operating systems. It only takes a minute to sign up.
Sign up to join this community
Teams
Q&A for work
Connect and share knowledge within a single location that is structured and easy to search.
Learn more about Teams
-----BEGIN CERTIFICATE-----
MIIDojCCAoqgAwIBAgIQeqkpty5ghoxP8YfCRe+7qjANBgkqhkiG9w0BAQUFADBP
some strings
FnpKVwAq6UcYOu4AoXweaqOOMsLNSw==
-----END CERTIFICATE-----
And after update-ca-trust extract I expect to see my cert in the bundle-file /etc/pki/tls/certs/ca-bundle.crt but there was nothing new in it. And ls -al show me latest edit time, so It was changed 2 monts ago, not now.
Initially I try this with .crt file. But renaming .crt to .pem didn't solve my problem.
I also tried update-ca-trust enable and update-ca-trust force-enable before extract, but it didn't help.
/var/log/messages says nothing about that.
What I shell do to fix it?
TL;DR
The update-ca-trust won't extract your certificate file to the ca-bundle.crt unless this succeeds:
openssl x509 -noout -text -in <cert_file> | grep --after-context=2 "X509v3 Basic Constraints" | grep "CA:TRUE"
I spent a few hours on this issue. Its root was in a X.509 extension called Basic Constraints which is used to mark whether a certificate belongs to a CA or not.
My humble findings:
The update-ca-bundle tool is in fact a shell script, so it's easy to peek inside
The script calls p11-kit utility multiple times each time using different filter and creating different bundle files.
The file ca-bundle.crt is in fact a link from tls-ca-bundle.pem file which is generated by p11-kit using ca-anchors filter. So it ignores all certs besides "CA ones".
If a certificate is or is not a CA is decided by Basic Constraints X.509 extension. This way it's possible to mark a certificate as a part of a CA.
It's possible to list all X.509 extensions using openssl x509 -noout -text -in <cert_file>
So any certificate file not labelled as a part of a CA will be filtered out by p11-kit and not exported to the desired ca-bundle.crt file.
Feel free to correct this in comments.
–
I don't know exactly what you are asking but the steps below work for me. I enable 'ca trust', copy over the file, extract, and then verify.
$ update-ca-trust enable
$ cp ZScalar.pem /etc/pki/ca-trust/source/anchors/
cp: overwrite ‘/etc/pki/ca-trust/source/anchors/ZScalar.pem’? yes
$ update-ca-trust extract
$ openssl verify ZScalar.crt
ZScalar.crt: OK
If these steps don't work please post the output of the "openssl verify" command and I might be able to direct you further.
To add to this, extracted certs go to "/etc/pki/ca-trust/extracted/openssl" or "/etc/pki/ca-trust/extracted/pem".
2.find issue in /etc/pki/tls/certs/ca-bundle.crt
grep -i "something_strings" /etc/pki/tls/certs/ca-bundle.crt
output like below:
something_strings
if you can get result, then your certs is added with success.
you need to reboot server for take affect.
–
In my case it was just because i was not using sudo
Copy the CA certificate to /etc/pki/ca-trust/source/anchors, then call below command
sudo update-ca-trust extract
After this check the exit code, should be 0
echo $?
OR grep CA certificate name in below file for confirmation
cat /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem | grep "CA-cert-name"
The CA certifications should be in place on the system within the ca-trust bundle. The "openssl x509" command is expecting to operate against a single PEM encoded certificate at a time. Since the underlying bundle has many certificates included, only the first is displayed.
To show all issuers:
openssl crl2pkcs7 -nocrl -certfile /etc/pki/tls/certs/ca-bundle.crt | openssl pkcs7 -print_certs | grep subject | head
