Installing root ca

I’m contributing to a project that has their own root CA for testing. I’ve copied the cert to the /etc/pki/ca-trust/source/anchors path and updated with sudo update-ca-trust, I’ve also manually added with the trust anchor command when that didn’t work.

When I try to curl a host that uses the cert it fails. when I pass the --cacert flag with the path to the cert it passes. Just wondering if anyone has experience with the joys of nuanced certificate debugging

1 Like

By using this command

awk -v cmd='openssl x509 -noout -subject' '/BEGIN/{close(cmd)};{print | cmd}' < /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem`

Does your certificate is listed?

1 Like

There are rules that you must follow for your CA to work.

If your leaf cert is not working then you likely broke one or more rules.
For example leaf certs cannot be more 390 days before they expire and you must have SAN (subject alternative name) in the cert.
There are more rules…

curl does not enforce all the rules that browsers enforce.
Make sure you test with a range of browsers, Firefox, safari, chrome, etc

If you use intermediate certs then the host must return intermediate+host cert to the browser.

Yes, I see it listed

Check this way:

HOST="example.org"; \
PORT="443"; \
openssl s_client \
    -connect ${HOST}:${PORT} \
    -verify_hostname ${HOST} \
    -verify_return_error \
    < /dev/null 2> /dev/null 

See also:
openssl-s_client.1ossl: SSL/TLS client program | openssl Commands | Man Pages | ManKier