TL;DR; copy the cert to /etc/ssl/certs/foo.pem and call update-ca-certificates
On Fri, Aug 29, 2014 at 9:31 AM, Brian Harrington
<
brian.ha...@coreos.com> wrote:
> Julian,
>
> Don't re-write the file ca-certificates.crt. Instead download the file to
> the directory /etc/ssl/certs/ then run "sudo c_rehash".
>
> On any OpenSSL based system the trust model is based on the acknowledgement
> of the hash of a given certificate. What the "c_rehash" script is doing is
> looking at the hash of a given certificate ("openssl x509 -noout -hash -in
> cername.crt") then explicitly creating a symbolic link in the form "hash".0
> using the resulting value from the previous command.
>
> So to talking this all out using CACert as an example (the short way):
> $ sudo curl -o /etc/ssl/certs/cacert_root.crt
>
http://www.cacert.org/certs/root.crt
> $ sudo c_rehash
The file must end in .pem for c_rehash to use it. Also calling
c_rehash will only make the cert available to applications using
openssl with its default settings, applications written in go or that
specify a path to the certificate bundle file instead of the directory
will not pick it up. To handle both cases we provide the tool
"update-ca-certificates" which will do both.
>
> So to talking this all out using CACert as an example (the long way):
> $ sudo curl -o /etc/ssl/certs/cacert_root.crt
>
http://www.cacert.org/certs/root.crt
> $ openssl x509 -noout -hash -in /etc/ssl/certs/cacert_root.crt
> 99d0fa06
> $ sudo ln -s /etc/ssl/certs/cacert_root.crt /etc/ssl/certs/99d0fa06.0
The manual procedure also needs:
$ sudo rm /etc/ssl/certs/ca-certificates.crt
$ sudo cp /usr/share/ca-certificates/ca-certificates.crt
/etc/ssl/certs/ca-certificates.crt
$ sudo sh -c "cat /etc/ssl/certs/foo.pem >> /etc/ssl/certs/ca-certificates.crt"
By default /etc/ssl/certs/ca-certificates.crt is a symlink to the copy
in /usr but you can replace that symlink with a regular file, from
then on the file will be automatically updated during boot so it
remains current after upgrades. Again, this does require that you name
your custom cert with the .pem suffix, otherwise on next boot it will
not be included when ca-certificates.crt is regenerated.