update-ca-certificates

[Pocket]

What formats does certs need to be to work with update-ca-certificates?

PEM or DER?

I have just finished writing some scripts to generate certs for my email
server and nginx server.

The scripts allow me to become my own CA.

The man page states that the cert needs to have a suffix of .crt.

By definition certs ending are in der format.

Will pem format type certs work?

--
It's not easy to be me

[Roberto C. Sánchez]

Have you looked at the examples?
/usr/share/doc/ca-certificates/examples/ca-certificates-local/

Regards,

-Roberto

--
Roberto C. Sánchez

[jeremy ardley]

On 14/12/23 08:54, Pocket wrote:
>
> I have just finished writing some scripts to generate certs for my
> email server and nginx server.
>
> The scripts allow me to become my own CA.

You don't have to be your own CA. It's very easy to use letsencrypt to
generate valid certificates for hosts even if they are not directly
connected to the internet.

In my case I use letsencrypt for certificates for nginx, dovecot, and
postfix. They all use the same certificates maintained by
letsencrypt/certbot by linking to it in their configuration,

letsencrypt/certbot manages all the certificates and necessary renewals
using cron jobs at regular intervals.

The situations where you still need to be your own CA are for
applications like OpenVPN and certificates for ssh servers and clients

[Pocket]

On 12/13/23 20:34, jeremy ardley wrote:
>
> On 14/12/23 08:54, Pocket wrote:
>>
>> I have just finished writing some scripts to generate certs for my
>> email server and nginx server.
>>
>> The scripts allow me to become my own CA.
>
>
> You don't have to be your own CA. It's very easy to use letsencrypt to
> generate valid certificates for hosts even if they are not directly
> connected to the internet.

I don't want to use letsencrypt, that is a non-starter

>
> In my case I use letsencrypt for certificates for nginx, dovecot, and
> postfix. They all use the same certificates maintained by
> letsencrypt/certbot by linking to it in their configuration,
>
> letsencrypt/certbot manages all the certificates and necessary
> renewals using cron jobs at regular intervals.

Which is why I don't want to use it.

Don't want to install any more packages or update cron (I have not added
cron jobs).

>
> The situations where you still need to be your own CA are for
> applications like OpenVPN and certificates for ssh servers and clients

On my network I want to control the certs used.

[Pocket]

Yes I have, the issue is the man page does not specify the type of certs it can process

-- 

[Jeffrey Walton]

On Wed, Dec 13, 2023 at 7:55 PM Pocket <poc...@columbus.rr.com> wrote:
>
> What formats does certs need to be to work with update-ca-certificates?
>
> PEM or DER?

PEM

> I have just finished writing some scripts to generate certs for my email
> server and nginx server.
>

> [...]

> Will pem format type certs work?

Yes.

You should also place the certificates in
/usr/local/share/ca-certificates . Make the directory if it does not
exist. And then run update-ca-certificates from the directory.

Jeff

[Charles Curley]

On Thu, 14 Dec 2023 09:34:37 +0800
jeremy ardley <jeremy...@gmail.com> wrote:

> You don't have to be your own CA. It's very easy to use letsencrypt
> to generate valid certificates for hosts even if they are not
> directly connected to the internet.

Oooh, is there a writeup somewhere on how to do that? The last time I
looked, I couldn't find one. But that was a while ago.

--
Does anybody read signatures any more?

https://charlescurley.com
https://charlescurley.com/blog/

[Pocket]

On 12/13/23 21:47, Jeffrey Walton wrote:
> On Wed, Dec 13, 2023 at 7:55 PM Pocket <poc...@columbus.rr.com> wrote:
>> What formats does certs need to be to work with update-ca-certificates?
>>
>> PEM or DER?
> PEM

Ok since I am using an intermediate cert to sign, I am creating a
combined PEM with the root CA and the intermediate cert like this

cat "$directory"/certs/intermediate.cert.pem
"$ca_directory"/certs/ca.cert.pem > "$directory"/certs/ca-chain.cert.pem

Will that work or does the cert have to be a single cert?

>
>> I have just finished writing some scripts to generate certs for my email
>> server and nginx server.
>>
>> [...]
>> Will pem format type certs work?
> Yes.
>
> You should also place the certificates in
> /usr/local/share/ca-certificates . Make the directory if it does not
> exist. And then run update-ca-certificates from the directory.
>
> Jeff

That sub directory does indeed exist, so I need to run
update-cert-certificates from

/usr/local/share/ca-certificates or can I just run update-cert-certificates as root?

Thanks

[Pocket]

On 12/13/23 21:50, Charles Curley wrote:
> On Thu, 14 Dec 2023 09:34:37 +0800
> jeremy ardley <jeremy...@gmail.com> wrote:
>
>> You don't have to be your own CA. It's very easy to use letsencrypt
>> to generate valid certificates for hosts even if they are not
>> directly connected to the internet.
> Oooh, is there a writeup somewhere on how to do that? The last time I
> looked, I couldn't find one. But that was a while ago.

I am following the one at
https://jamielinux.com/docs/openssl-certificate-authority

it is from 2015 and I made the scripts from the different stages in the
chapter.

root, intermediate and client.

I will consolidate them into a single script when I have everything working.

I will then add the revocation, CRL and OCSP at the end of testing.

I intend to the encrypt the directory holding the CA with fscrypt to
keep the private keys secure.

[Jeffrey Walton]

On Wed, Dec 13, 2023 at 9:58 PM Pocket <poc...@columbus.rr.com> wrote:
>
> On 12/13/23 21:47, Jeffrey Walton wrote:
> > On Wed, Dec 13, 2023 at 7:55 PM Pocket <poc...@columbus.rr.com> wrote:
> >> What formats does certs need to be to work with update-ca-certificates?
> >>
> >> PEM or DER?
> > PEM
>
> Ok since I am using an intermediate cert to sign, I am creating a
> combined PEM with the root CA and the intermediate cert like this
>
> cat "$directory"/certs/intermediate.cert.pem
> "$ca_directory"/certs/ca.cert.pem > "$directory"/certs/ca-chain.cert.pem
>
> Will that work or does the cert have to be a single cert?

I don't recall. I use one file for each certificate.

Oh, and the file extension should be *.crt, not *.pem.

> >> I have just finished writing some scripts to generate certs for my email
> >> server and nginx server.
> >>
> >> [...]
> >> Will pem format type certs work?
> > Yes.
> >
> > You should also place the certificates in
> > /usr/local/share/ca-certificates . Make the directory if it does not
> > exist. And then run update-ca-certificates from the directory.
>

> That sub directory does indeed exist, so I need to run
> update-cert-certificates from
>
> /usr/local/share/ca-certificates or can I just run update-cert-certificates as root?

I don't recall. I run update-ca-certificates from
/usr/local/share/ca-certificates as root.

You might also be interested in update-ca-certificates(8) at
<https://manpages.debian.org/buster/ca-certificates/update-ca-certificates.8.en.html>,
and OpenSSL's c_rehash at
<https://github.com/openssl/openssl/blob/master/tools/c_rehash.in>. In
the past, I believe update-ca-certificates relies upon c_rehash for
some operations.

Jeff

[Jeffrey Walton]

I submitted a PR to update the documentation. The existing docs were
missing some useful options, and did not say how to add certificates
in a meaningful way.

Also see <https://salsa.debian.org/debian/ca-certificates/-/merge_requests/11>
and <https://salsa.debian.org/debian/ca-certificates/-/merge_requests/12>.

Jeff

[Andy Smith]

Hello,

On Wed, Dec 13, 2023 at 07:50:00PM -0700, Charles Curley wrote:
> On Thu, 14 Dec 2023 09:34:37 +0800
> jeremy ardley <jeremy...@gmail.com> wrote:
>
> > You don't have to be your own CA. It's very easy to use letsencrypt
> > to generate valid certificates for hosts even if they are not
> > directly connected to the internet.
>
> Oooh, is there a writeup somewhere on how to do that? The last time I
> looked, I couldn't find one. But that was a while ago.

Normally you do it with DNS-01 challenges, which you answer by
(programmatically) putting something in your DNS zone, either by RFC
compliant DNS update or by using an API plugin for your DNS
provider. By this means you can get a certificate for anything that
is in (your part of) the global DNS.

Any of the letsencrypt clients should have decent documentation of
DNS-01 challenges. I really like acme.sh in preference to certbot.

Thanks,
Andy

--
https://bitfolk.com/ -- No-nonsense VPS hosting

[Henning Follmann]

On Wed, Dec 13, 2023 at 09:47:41PM -0500, Jeffrey Walton wrote:
> On Wed, Dec 13, 2023 at 7:55 PM Pocket <poc...@columbus.rr.com> wrote:
> >
> > What formats does certs need to be to work with update-ca-certificates?
> >
> > PEM or DER?
>
> PEM

Well lets look at man update-ca-certificates, shall we?

"Certificates must have a .crt extension..."

>
> > I have just finished writing some scripts to generate certs for my email
> > server and nginx server.
> >
> > [...]
> > Will pem format type certs work?
>
> Yes.
>
> You should also place the certificates in
> /usr/local/share/ca-certificates . Make the directory if it does not
> exist. And then run update-ca-certificates from the directory.
>

again from the manual:
"It reads the file /etc/ca-certificates.conf. Each line gives a pathname
of a CA certificate under /usr/share/ca-certificates that should be
trusted. Lines that begin with "#" are comment lines and thus ignored.
Lines that begin with "!" are deselected, causing the deactivation of
the CA certificate in question. Certificates must have a .crt extension
in order to be included by update-ca-certificates."


It is not enough to just put them in that directory. You also have to
update /etc/ca-certificates.conf


-H



--
Henning Follmann | hfol...@itcfollmann.com

[Pocket]

On 12/14/23 08:11, Henning Follmann wrote:
> On Wed, Dec 13, 2023 at 09:47:41PM -0500, Jeffrey Walton wrote:
>> On Wed, Dec 13, 2023 at 7:55 PM Pocket <poc...@columbus.rr.com> wrote:
>>> What formats does certs need to be to work with update-ca-certificates?
>>>
>>> PEM or DER?
>> PEM
> Well lets look at man update-ca-certificates, shall we?
>
> "Certificates must have a .crt extension..."

Lets have a look at some of the standards shall we?

https://www.ssl.com/guide/pem-der-crt-and-cer-x-509-encodings-and-conversions/

A cert that have a suffix of .crt are in DER format by this convention.
maybe the script should actually look for PEM files?

Should the suffix of the file be .pem as the certs that are referenced
by the conf file seem to be in PEM format?

Well yes that would eliminate the confusion and we can not have that can we.

>
>
>
>>> I have just finished writing some scripts to generate certs for my email
>>> server and nginx server.
>>>
>>> [...]
>>> Will pem format type certs work?
>> Yes.
>>
>> You should also place the certificates in
>> /usr/local/share/ca-certificates . Make the directory if it does not
>> exist. And then run update-ca-certificates from the directory.
>>
> again from the manual:
> "It reads the file /etc/ca-certificates.conf. Each line gives a pathname
> of a CA certificate under /usr/share/ca-certificates that should be
> trusted. Lines that begin with "#" are comment lines and thus ignored.
> Lines that begin with "!" are deselected, causing the deactivation of
> the CA certificate in question. Certificates must have a .crt extension
> in order to be included by update-ca-certificates."
>
>
> It is not enough to just put them in that directory. You also have to
> update /etc/ca-certificates.conf
>
>
> -H

Is that in the bash script?

I don't see it can you point it out?

Doesn't it also say /usr/local/share/ca-certificates also is in play?

Notice the man page has noting about the format and if each cert must be
a single file or can you concat multiple certs into a single file.

The docs are clearly insufficient.

I am currently looking at the bash script, not the docs.

[Linux-Fan]

Pocket writes:

> On 12/14/23 08:11, Henning Follmann wrote:
>> On Wed, Dec 13, 2023 at 09:47:41PM -0500, Jeffrey Walton wrote:
>>> On Wed, Dec 13, 2023 at 7:55 PM Pocket <poc...@columbus.rr.com> wrote:
>>>> What formats does certs need to be to work with update-ca-certificates?
>>>>
>>>> PEM or DER?
>>> PEM
>> Well lets look at man update-ca-certificates, shall we?
>>
>> "Certificates must have a .crt extension..."
>
> Lets have a look at some of the standards shall we?
>
> https://www.ssl.com/guide/pem-der-crt-and-cer-x-509-encodings-and-conversions/
>
> A cert that have a suffix of .crt are in DER format by this convention.
> maybe the script should actually look for PEM files?

The above linked page is not a standard. Additionally, it does not seem to
support your claim and e.g. says as follows:

* “The DER certificate format stands for “distinguished encoding rules. It
is a binary form of PEM-formatted certificates containing all types of
certificates and private keys. However, they usually use .cer and .der
extensions.”
* “A PEM file contains ASCII encoding data, and the certificate files come
in .pem, .crt, .cer, or .key formats.”

IOW per this source, `.crt` is a perfectly valid file extension for
certificates in PEM format.

I'd be curious for some “standard” definition about these file extensions
because from what I have seen, the file extensions for certificates, keys
and certificate signing requests are used quite chaotically sometimes to
encode either the intention (.pub, .priv, .cer, .csr) or the data format
(.pem, .der) and sometimes there seems to be an intention to encode both
some way e.g. I've observed .pem for PEM certificates and .cer for DER-
formatted certificates which would be in line with the ssl.com link btw.

> Should the suffix of the file be .pem as the certs that are referenced by
> the conf file seem to be in PEM format?

Stick to what the program expects and use .crt

> Well yes that would eliminate the confusion and we can not have that can we.

If there were some agreed-on standard to do this stuff, I would love to know
about it. The closest things that I found by a cursory internet search were
FRC2585 and RFC5280:

* https://datatracker.ietf.org/doc/html/rfc2585
* https://datatracker.ietf.org/doc/html/rfc5280

AFAIU they specify

* `.cer` for DER-encoded certificates
* `.crl` for DER-encoded certificate revocation lists
* `.p7c` for PKCS#7 encoded certificates

[...]

YMMV
Linux-Fan

öö

[Pocket]

Sent from my iPad

> On Dec 14, 2023, at 2:23 PM, Linux-Fan <Ma_S...@web.de> wrote:

>
> Pocket writes:
>
>>> On 12/14/23 08:11, Henning Follmann wrote:
>>> On Wed, Dec 13, 2023 at 09:47:41PM -0500, Jeffrey Walton wrote:
>>>> On Wed, Dec 13, 2023 at 7:55 PM Pocket <poc...@columbus.rr.com> wrote:
>>>>> What formats does certs need to be to work with update-ca-certificates?
>>>>>
>>>>> PEM or DER?
>>>> PEM
>>> Well lets look at man update-ca-certificates, shall we?
>>>
>>> "Certificates must have a .crt extension..."
>>
>> Lets have a look at some of the standards shall we?
>>
>> https://www.ssl.com/guide/pem-der-crt-and-cer-x-509-encodings-and-conversions/
>>
>> A cert that have a suffix of .crt are in DER format by this convention. maybe the script should actually look for PEM files?
>
> The above linked page is not a standard. Additionally, it does not seem to support your claim and e.g. says as follows:
>
> * “The DER certificate format stands for “distinguished encoding rules. It
> is a binary form of PEM-formatted certificates containing all types of
> certificates and private keys. However, they usually use .cer and .der extensions.”
> * “A PEM file contains ASCII encoding data, and the certificate files come
> in .pem, .crt, .cer, or .key formats.”
>
> IOW per this source, `.crt` is a perfectly valid file extension for certificates in PEM format.
>

> I'd be curious for some “standard” definition about these file extensions because from what I have seen, the file extensions for certificates, keys and certificate signing requests are used quite chaotically sometimes to encode either the intention (.pub, .priv, .cer, .csr) or the data format (.pem, .der) and sometimes there seems to be an intention to encode both some way e.g. I've observed .pem for PEM certificates and .cer for DER-formatted certificates which would be in line with the ssl.com link btw.

>
>> Should the suffix of the file be .pem as the certs that are referenced by the conf file seem to be in PEM format?
>
> Stick to what the program expects and use .crt

Ok what format DER, PEM or some form of PKC?

DER and PEM both use crt.

One cert for file or multiple?

Notice the docs do not specify.

How does the carts get processed as different formats require different processes.

>
>> Well yes that would eliminate the confusion and we can not have that can we.
>
> If there were some agreed-on standard to do this stuff, I would love to know about it. The closest things that I found by a cursory internet search were FRC2585 and RFC5280:
>
> * https://datatracker.ietf.org/doc/html/rfc2585
> * https://datatracker.ietf.org/doc/html/rfc5280
>
> AFAIU they specify
>
> * `.cer` for DER-encoded certificates
> * `.crl` for DER-encoded certificate revocation lists
> * `.p7c` for PKCS#7 encoded certificates

DER, .der and .crt

PEM .pem and .crt

Docs should specify.

>
> [...]
>
> YMMV
> Linux-Fan
>
> öö

[Linux-Fan]

Pocket writes:
> On Dec 14, 2023, at 2:23 PM, Linux-Fan <Ma_S...@web.de> wrote:
> > Pocket writes:

[...]

> > > Should the suffix of the file be .pem as the certs that are referenced by
> > > the conf file seem to be in PEM format?
> >
> > Stick to what the program expects and use .crt
>
> Ok what format DER, PEM or some form of PKC?

Use PEM-format with file extension .crt.

> DER and PEM both use crt.

Yes, although PEM seems to be more common per my anecdotical understanding
because for DER format, `.cer` seems to be more prevalent.

> One cert for file or multiple?
>
> Notice the docs do not specify.

Indeed they don't specify this directly. If you take the examples into
consideration, they may shed some light on this, though:

$ xxd < /usr/share/doc/ca-certificates/examples/ca-certificates-local/local/Local_Root_CA.crt
00000000: 2d2d 2d2d 2d42 4547 494e 2043 4552 5449 -----BEGIN CERTI
00000010: 4649 4341 5445 2d2d 2d2d 2d0a 4475 6d6d FICATE-----.Dumm
00000020: 7920 526f 6f74 2043 4120 6669 6c65 3b20 y Root CA file;
00000030: 7265 706c 6163 6520 6974 2077 6974 6820 replace it with
00000040: 7468 6520 5045 4d2d 656e 636f 6465 6420 the PEM-encoded
00000050: 726f 6f74 2063 6572 7469 6669 6361 7465 root certificate
00000060: 0a2d 2d2d 2d2d 454e 4420 4345 5254 4946 .-----END CERTIF
00000070: 4943 4154 452d 2d2d 2d2d 0a

I used the xxd just because I was unsure of the format and within the first
lines one can recognize the familiar --BEGIN CERTIFICATE-- lines that are
typical for PEM certificates. Additionally, there is some text that
explicitly explains that this should resemble a PEM file (I find this
example odd, because it is obviously not a valid PEM since that would be
base64 encoded?)

Additional info can be gained from the README.Debian:

~~~
$ head -n 5 /usr/share/doc/ca-certificates/README.Debian
The Debian Package ca-certificates
----------------------------------

This package includes PEM files of CA certificates to allow SSL-based
applications to check for the authenticity of SSL connections.
~~~

Concluding from both of these documentation pieces it looks like the PEM
format is indeed hinted at although maybe not as obviously as it could be.

It does not answer the question about multiple certificates in one file,
though.

[...]

HTH
Linux-Fan

öö