Root CA

Reading Time: < 1 minute

Last Update: 5/29/2024


I am going to assume we are going to install a new CA to Linux workstation/server. The CA represents the domain that you are administrating. For this example, using a Easy-RSA deployment covers this need.

l assume we have ran through the exercise of installing the Easy-RSA server.
Collect the Easy-RSA CA “root” certificate preserved when you installed Easy-RSA. Let’s presume this certificate can be named as “easy-rsa.crt” (Remember this will be found in the \easy-rsa\pki folder The root ca created during pki-init was named ca.crt)

Copy the named easy-rsa-ca.crt to the /usr/local/share/ca-certificates directory. Of the application server you are developing and that you want to trust a cert cert you are about to add (i.e. from your easy-rsa ca server)

root@node1:/etc/ssl/certs# update-ca-certificates
Updating certificates in /etc/ssl/certs...
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...

“If you needed to re-install the “factory” default certs again. The last steps rebuilds the default “ca-certificates.crt” found in /etc/ssl/certs ca-certificates.crt is a aggregate collection of certs collected to form a convenient single file for easy reference.

sudo apt-get install -y ca-certificates
sudo cp local-ca.crt /usr/local/share/ca-certificates
sudo update-ca-certificates

This is a handy script. No, I was not genius enough to write the following. I am clever enough to recognize the utility of it. Credit is given where credit is due (please see the URL listed below)

This is handy enough to pull out headers from the “ca-certificates.crt” file and can be used for verification. You most likely would note the newest additon at the bottom of the listing.

openssl crl2pkcs7 -nocrl -certfile /etc/ssl/certs/ca-certificates.crt | openssl pkcs7 -print_certs -noout


This entry was posted in Certificate. Bookmark the permalink.