Debian CA Root Installation
Installing CA certs in Debian
Installing a root CA certificate on your servers is an appealing option if you host many services and do not wish to pay the widely varying costs for certificates from "trusted" 3rd parties. Alternatively not having to deal with 3rd parties or the ability to include custom extensions can provide significant dividends when trying to administer your systems. In Debian this is a relatively straight forward affair however there is a right and wrong way to do this.
A quick look around the filesystem reveals the existence of an
directory filled with certificates from various CAs around the world. However
placing a certificate in this directory does not work as one would expect,
Leaving you to scratch your head wondering why connections are being rejected
with 'could not verify certificate' (openssl's wonderfully helpful message for
being unable to verify your certificate was issued by a trusted authority).
Debian has multiple directories for managing certificates,
/usr/share/ca-certificates and its local counterpart,
/usr/local/share/ca-certificates and another at
/etc/ssl/certs, this final
directory managing which certificates are 'active' and the other 2 storing all
actived and deactivated certificates.
contains a list of all active certificates in
/etc/ssl/certs and mainly exists
for compatibility with older versions of openssl that only supported
certificate stores in a single file and not a directory.
To install a certificate the 'correct' way and have it show up when you type
dpkg-reconfigure ca-certificates try the steps below:
- Create a directory under
/usr/local/share/ca-certificatesthat corresponds to your certificates (in my case i chose the name 'pocketnix' for holding my certificates and created the directory with the following command:
mkdir -p /usr/share/ca-certificates/pocketnix).
- Copy the root CA to the directory mentioned above (in PEM format and ending
in 'crt'), make note of this file name (
PocketnixCA.crtfor this example).
/etc/ca-certificates.confwith your favorite text editor and add a line for your certificate (for the example above,
- Try and log into the service that was throwing the warning or error before to confirm its all working.
That's it, the certificate is now installed and should survive updates of the CA certificates as well as allowing you to enable and disable it by re-configuring the ca-certificates package.
If you are looking for more information try having a look in the following directories on a Debian system with the ca-certificates package installed:
/usr/share/doc/ca-certificates/examples/ca-certificates-local/READMEThis includes a guide to creating a Debian package with your certificates contained within it