TLS certificates in Linux
Installing TLS CA root certificates in Linux is actually quite easy. Well, at least if you know where to put the certificate files … Unfortunately, different distributions keep their certificate stores in different places. Here is a short overview on installing root certificates in Debian and Red Hat Enterprise Linux/CentOS. Other distributions based on Debian or RHEL probably handle this similar to one of the two approaces described here.
Consider that the directory and command names below imply that the procedures described there are meant to be used with CA root certificates. Anyway, the same can be done with self signed certificates as well (these are quite similar to CA root certificates). Consider furthermore that some programs (most notably Firefox) have their own certificate stores and ignore the system wide settings! Others need to be explicitly pointed to the certificate store’s file path in their configuration.
Debian
The following is valid at least for Debian 8.
Put the certificate file (with file name extension .crt) into the
/usr/local/share/ca-certificates/
directory, then run the
update-ca-certificates
command to update the symlink list
in /etc/ssl/certs/
:
# cp certificate.crt /usr/local/share/ca-certificates/
# update-ca-certificates
(There is no need to modify the
/etc/ca-certificates.conf
file, since the certificates in
/usr/local/share/ca-certificates
are implicitly trusted.
The config file is only relevant concerning the certificates in
/usr/share/ca-certificates
.)
To remove a certificate, delete the certificate file and run the
update-ca-certificates
command to remove the respective
symlinks in /etc/ssl/certs/
:
# rm /usr/local/share/ca-certificates/certificate.crt
# update-ca-certificates -f
RHEL/CentOS
The following is valid at least for CentOS 7.
Put the certificate file (any file name) into the
/etc/pki/ca-trust/source/anchors/
directory, then run the
update-ca-trust
command to update the certificate bundle
files in /etc/pki/ca-trust/extracted/
:
# cp certificate.crt /etc/pki/ca-trust/source/anchors/
# update-ca-trust extract
To remove a certificate, delete the certificate file an run the
update-ca-trust
command to update the certificate bundle
files in /etc/pki/ca-trust/extracted/
:
# rm /etc/pki/ca-trust/source/anchors/certificate.crt
# update-ca-trust extract