Add trusted root CA (Centos case)

Linux specific questions/information are gathered here. The main thrust of topics are applied to Centos/RedHat(RH)/Debian/Ubuntu/Gentoo distributives

Add trusted root CA (Centos case)

Postby lik » Sat Aug 16, 2014 2:34 pm

Sometimes you my require to add custom root CA certificates to trusted list on your server.
In this example we will add Root Certificate and Intermediate Certificate from CAcert free community-driven Certificate Authority.

General solution can be found at their wiki, but it lacks details about update-ca-trust method.

First, we install ca-certificates package:
Code: Select all
yum install ca-certificates

Then enable dynamic CA configuration feature:
Code: Select all
update-ca-trust enable

Time to download root and intermediate certificates in PEM format:
Code: Select all
wget -q --no-check-certificate https://www.cacert.org/certs/root.crt -O /etc/pki/ca-trust/source/anchors/cacert-root.crt
wget -q --no-check-certificate https://www.cacert.org/certs/class3.crt -O /etc/pki/ca-trust/source/anchors/cacert-class3.crt

Generate updated versions of the consolidated configuration files:
Code: Select all
update-ca-trust extract

Check verify return code - should be "0 (ok)":
Code: Select all
# openssl s_client -connect forum.likg.org.ua:443 -servername forum.likg.org.ua
CONNECTED(00000003)
depth=1 O = Root CA, OU = http://www.cacert.org, CN = CA Cert Signing Authority, emailAddress = support@cacert.org
verify return:1
depth=0 CN = forum.likg.org.ua
verify return:1
---
Certificate chain
 0 s:/CN=forum.likg.org.ua
   i:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFETCCAvmgAwIBAgIDD1BwMA0GCSqGSIb3DQEBDQUAMHkxEDAOBgNVBAoTB1Jv
b3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ
Q0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y
dEBjYWNlcnQub3JnMB4XDTE0MDcyMzE4MjMyMVoXDTE1MDExOTE4MjMyMVowHDEa
MBgGA1UEAxMRZm9ydW0ubGlrZy5vcmcudWEwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQDV37nLPFykDVUX3GggWAQOiM/uQTaV03Mjpc5utg2R7Z3Vkkmt
XlITAENErSsR8B2AkC2dDom47T12IkqJScnoBWpQh55bqKZQOn6R8S+eOu+CWSgM
yiFNgLEFmiyq3QCMGqLsqQC37Iz7zRmayqOpznilgODjBzVulCg+8ysIVSAxauwq
+2Xfh9WlEPy+eGArI9iNY6E0MRqZkBztXvGbf/+FJcxchlg/WEWSD/BjW/ZhO8A1
oHC3DiBMWvbg7UcLRvy7wmQw3410OfInV+WWRv6mhX9Im1FOOskYDZsATCpmXYsb
4LmuxJp/zK7zeOfCtc/YZGIBKWVd+/qEF9ATAgMBAAGjgf4wgfswDAYDVR0TAQH/
BAIwADAOBgNVHQ8BAf8EBAMCA6gwNAYDVR0lBC0wKwYIKwYBBQUHAwIGCCsGAQUF
BwMBBglghkgBhvhCBAEGCisGAQQBgjcKAwMwMwYIKwYBBQUHAQEEJzAlMCMGCCsG
AQUFBzABhhdodHRwOi8vb2NzcC5jYWNlcnQub3JnLzAxBgNVHR8EKjAoMCagJKAi
hiBodHRwOi8vY3JsLmNhY2VydC5vcmcvcmV2b2tlLmNybDA9BgNVHREENjA0ghFm
b3J1bS5saWtnLm9yZy51YaAfBggrBgEFBQcIBaATDBFmb3J1bS5saWtnLm9yZy51
YTANBgkqhkiG9w0BAQ0FAAOCAgEAURwMb4zJtU1WZMfQdI7ZJ5DjO9fdUzkoij/9
gActzZldRnr3Nf6x7FKcqWkaLbWZ21PGJvsJ0Dk2Glte5d0UxyuuIrFdwDQFd3Rk
Kg+jCiXoWw6TyLcgCsj1KCTNvcddeUA6rl9cUOJI1VWlVx9rvnd54eO/jsPAfYXf
rVkmHuEsH+l73On9za2ZzX9gQU+D5OOsvt0DS/ehplYVUNRXLQ/hv4q5sDAOxt5E
+7tb8nTtl7ImI4b8Vio2kMIiNdk3gQ3XUOnvzhjy2gCdsxBFnGWwcsluD50l5LIx
g4dNBKk24antNXFlV2CaWVNq8Of1FQKsg8VgTX4dOj8s8lTyXynnOgorE4Si4cH1
R/H7Z830js3cXKSjdUn41WAVEqGQeV36Mca9NSUcgSnsvm5jU7iwBXp1XZhwYdVd
lX3Hozkkeeds3+04JXZmm1eG4hNDvGcs6pTfmv5SZ0qr6xesnZkK2Is/STMeMa02
aIxNi5wkHJBNQp+iLqEXoH9QvjFtN4Qd9hffaTWiycAtd13krfMO3sdTK2FEAfnS
iz3Rhy0qqVPFbKAr/Mxy0OEitpaEKw1LU9FHjhZWoKZsuOSMA6syujFTPGUCt2wX
gHD2b1Yd/1geboqFkP/y7a+MwSb/AxQBb4Dxu2wF/6WICgyYP+MeTJIyhX9nyVlN
VSg0Sy4=
-----END CERTIFICATE-----
subject=/CN=forum.likg.org.ua
issuer=/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org
---
No client certificate CA names sent
---
SSL handshake has read 2036 bytes and written 516 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-SHA384
    Session-ID: CBBD184F10D95A4C64EC594DBC41004A359AD0C81D5B34ED2474D6676ACEFAB3
    Session-ID-ctx:
    Master-Key: B4C00557A8026B31CB6A409F66B7A433F1E6BCF517633348988891115F64C9B61F51456BF2D507D665050B017D5C991F
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 5c 73 e1 41 70 41 3a ac-6a f9 42 6d 1e b5 96 8f   \s.ApA:.j.Bm....
    0010 - b5 52 c8 ef f2 56 4e 87-1a 5a ba 34 31 8f 09 3f   .R...VN..Z.41..?
    0020 - dc 66 05 9e 86 ae 58 cf-6d fb e0 12 89 fc ef 40   .f....X.m......@
    0030 - 39 75 48 b7 e7 50 fd 86-9b ac 85 ec a4 04 0e f8   9uH..P..........
    0040 - dd 62 fb 36 04 bc ef 19-fa 9b 31 be c5 63 1c 84   .b.6......1..c..
    0050 - 51 7b 8a 3e 30 04 74 b6-e8 5f f0 5c 09 57 8e 68   Q{.>0.t.._.\.W.h
    0060 - ef f8 9e c9 c9 b5 97 82-a9 32 3a 78 15 95 a1 80   .........2:x....
    0070 - 88 b3 92 ba 2b c8 5d 34-f2 68 e5 34 9f 55 10 8f   ....+.]4.h.4.U..
    0080 - b8 d2 91 2b 81 9c 6d 2c-79 6d d3 3a 56 46 43 fd   ...+..m,ym.:VFC.
    0090 - a3 b7 d2 ae 15 35 bd e3-0e e2 a2 bc 45 16 11 b3   .....5......E...
    00a0 - 7e ea 3d 9d b9 ef c3 2c-93 92 ba 06 a7 97 7f      ~.=....,.......
    00b0 - <SPACES/NULS>

    Start Time: 1408199442
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
lik
Founder
Founder
 
Posts: 497
Joined: Wed Dec 15, 2010 3:21 am

Return to Linux specific

 


  • Related topics
    Replies
    Views
    Last post