How to deal with self signed certificates properly?
Dear openSUSE community, I'm facing issues using self signed certificates on openSUSE Leap 15.3. I have a certificate 'gnuhealth-selfsigned.crt' in PEM format and a hostname 'susetest'. Actually I want to use the update-ca-certificates command. I tried copying the certificate into /usr/share/pki/trust/anchors/ and /usr/share/pki/trust/ as .crt and renamed to .pem. For all four scenarios the output of 'sudo update-ca-certificates -v' does not contain something like "1 added" and 'wget https://susetest' does still complain about a selfsigned certificate afterwards. Finally I managed to get it working by running 'cat /path/gnuhealth-selfsigned.crt | sudo tee -a /var/lib/ca-certificates/ca-bundle.pem'. Since this file says "Do not edit!" I'm sure this was not the proper way but I don't know how to do it properly either. Does someone have an idea what i did wrong with update-ca-certificates? The certificate was created using OpenSSL. Kind regards Gerald
On 11/11/21 3:52 PM, Gerald Wiese wrote:
Dear openSUSE community,
I'm facing issues using self signed certificates on openSUSE Leap 15.3.
I have a certificate 'gnuhealth-selfsigned.crt' in PEM format and a hostname 'susetest'. Actually I want to use the update-ca-certificates command. I tried copying the certificate into /usr/share/pki/trust/anchors/ and /usr/share/pki/trust/ as .crt and renamed to .pem. For all four scenarios the output of 'sudo update-ca-certificates -v' does not contain something like "1 added" and 'wget https://susetest' does still complain about a selfsigned certificate afterwards.
I'm not a certificate expert but that looks OK to me. The YaST registration modules does a certificate import in SLES this way: - Copy the PEM file to /usr/share/pki/trust/anchors/ directory - Run /usr/sbin/update-ca-certificates It should work the same way also in Leap 15.3... -- Ladislav Slezák YaST Developer SUSE LINUX, s.r.o. Corso IIa Křižíkova 148/34 18600 Praha 8
On Fri, 2021-11-12 at 15:45 +0100, Ladislav Slezák wrote:
On 11/11/21 3:52 PM, Gerald Wiese wrote:
Dear openSUSE community,
I'm facing issues using self signed certificates on openSUSE Leap 15.3.
I have a certificate 'gnuhealth-selfsigned.crt' in PEM format and a hostname 'susetest'. Actually I want to use the update-ca-certificates command. I tried copying the certificate into /usr/share/pki/trust/anchors/ and /usr/share/pki/trust/ as .crt and renamed to .pem. For all four scenarios the output of 'sudo update-ca-certificates -v' does not contain something like "1 added" and 'wget https://susetest' does still complain about a selfsigned certificate afterwards.
I'm not a certificate expert but that looks OK to me.
The YaST registration modules does a certificate import in SLES this way:
- Copy the PEM file to /usr/share/pki/trust/anchors/ directory
Copy the PEM file to /etc/pki/trust/anchors /usr belongs to distribution packages and should not be tinkered with by users, /etc exists for user configuration
- Run /usr/sbin/update-ca-certificates
It should work the same way also in Leap 15.3...
-- Richard Brown Linux Distribution Engineer - Future Technology Team SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, D-90409 Nuremberg, Germany (HRB 36809, AG Nürnberg) Managing Director/Geschäftsführer: Ivo Totev
participants (3)
-
Gerald Wiese -
Ladislav Slezák -
Richard Brown