Root CA

Posted on May 29, 2024 by Tom Hamilton
Reading Time: < 1 minute

Last Update: 5/29/2024

update-ca-certificates

I am going to assume we are going to install a new CA to Linux workstation/server. The CA represents the domain that you are administrating. For this example, using a Easy-RSA deployment covers this need.

l assume we have ran through the exercise of installing the Easy-RSA server.
Collect the Easy-RSA CA “root” certificate preserved when you installed Easy-RSA. Let’s presume this certificate can be named as “easy-rsa.crt” (Remember this will be found in the \easy-rsa\pki folder The root ca created during pki-init was named ca.crt)

Copy the named easy-rsa-ca.crt to the /usr/local/share/ca-certificates directory. Of the application server you are developing and that you want to trust a cert cert you are about to add (i.e. from your easy-rsa ca server)

root@node1:/etc/ssl/certs# update-ca-certificates
Updating certificates in /etc/ssl/certs...
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.

“If you needed to re-install the “factory” default certs again. The last steps rebuilds the default “ca-certificates.crt” found in /etc/ssl/certs ca-certificates.crt is a aggregate collection of certs collected to form a convenient single file for easy reference.

sudo apt-get install -y ca-certificates
sudo cp local-ca.crt /usr/local/share/ca-certificates
sudo update-ca-certificates

This is a handy script. No, I was not genius enough to write the following. I am clever enough to recognize the utility of it. Credit is given where credit is due (please see the unix-slackexchange.com URL listed below)

This is handy enough to pull out headers from the “ca-certificates.crt” file and can be used for verification. You most likely would note the newest additon at the bottom of the listing.

openssl crl2pkcs7 -nocrl -certfile /etc/ssl/certs/ca-certificates.crt | openssl pkcs7 -print_certs -noout

Reference:
https://ubuntu.com/server/docs/install-a-root-ca-certificate-in-the-trust-store
https://unix.stackexchange.com/questions/688608/is-it-possible-to-install-a-custom-ca-certificate-without-the-ca-certificates-pa

This entry was posted in Certificate. Bookmark the permalink.