search

MikeKovarik / cert-store

🔐 Install, check and delete trusted root certificates.
MIT License
7 stars 4 forks source link

Issues when installing root certificate #3

Open Js-Brecht opened 5 years ago

Js-Brecht commented 5 years ago

I am getting an error when attempting to install the root certificate authority to the trusted store; It is unable to create directory /usr/share/ca-certificates/extra/. /usr/**/* is writable by root only. update-ca-certificates also requires root, because it updates /etc/ssl/certs.

Additionally, in order for certificates to be picked up in /usr/share/ca-certificates/**/*, their path needs to be added to /etc/ca-certificates.conf (relative to /usr/share/ca-certificates; with the extra subdirectory, it would read, e.g. extra/<certname>.crt); I can confirm that without this, the certificate is ignored. However, ALL certificates added to /usr/local/share/ca-certificates will be trusted implicitly... i.e. they will be included in /etc/ssl/certs when update-ca-certificates is run. IMO, it is better to just install the certificate in /usr/local/share/ca-certificates.

This is using Ubuntu 18.04; I think it's pretty standard across Debian/Ubuntu distros. I think RedHat is the same, up to 7ish? RHEL7/Fedora 19+ use /etc/pki/ca-trust/source/anchors. Don't quote me on this... would need to do some research. I'm not running any of those distros anymore, and it's been a while since I have. There's probably even more variations out there :man_shrugging:

I was also getting an error when running isInstalled(): /usr/share/ca-certificates/extra does not exist. Since /etc/ssl/certs is a central repository of installed root certificates, wouldn't it make sense to look there? It is just a collection of symlinks. At the very least, should there should be a check to see if the directory exists before trying to read from it?

Js-Brecht commented 5 years ago

Something else that is kind of a pain in the ass is that the browsers don't use the OS store. I use Chrome, and sometimes Firefox, and to trust a certificate authority, I have to add it to the browser's trust store manually. I actually just got done doing this... it looked like this:

dbDir="${HOME}/.pki/nssdb" # This is chrome's db directory.  The store is the file called 'cert9.db' in this folder
caName="<commonName of certificate authority>"
certFile="<Path to certificate authority's *.crt>"
certutil -A -n "${caName}" -t "TCu,Cu,Tu" -i ${certFile} -d sql:${dbDir}

The trust store locations on my particular distro are: