I’m contributing to a project that has their own root CA for testing. I’ve copied the cert to the /etc/pki/ca-trust/source/anchors path and updated with sudo update-ca-trust, I’ve also manually added with the trust anchor command when that didn’t work.
When I try to curl a host that uses the cert it fails. when I pass the --cacert flag with the path to the cert it passes. Just wondering if anyone has experience with the joys of nuanced certificate debugging
There are rules that you must follow for your CA to work.
If your leaf cert is not working then you likely broke one or more rules.
For example leaf certs cannot be more 390 days before they expire and you must have SAN (subject alternative name) in the cert.
There are more rules…
curl does not enforce all the rules that browsers enforce.
Make sure you test with a range of browsers, Firefox, safari, chrome, etc
If you use intermediate certs then the host must return intermediate+host cert to the browser.