Open Js-Brecht opened 5 years ago
Something else that is kind of a pain in the ass is that the browsers don't use the OS store. I use Chrome, and sometimes Firefox, and to trust a certificate authority, I have to add it to the browser's trust store manually. I actually just got done doing this... it looked like this:
dbDir="${HOME}/.pki/nssdb" # This is chrome's db directory. The store is the file called 'cert9.db' in this folder
caName="<commonName of certificate authority>"
certFile="<Path to certificate authority's *.crt>"
certutil -A -n "${caName}" -t "TCu,Cu,Tu" -i ${certFile} -d sql:${dbDir}
The trust store locations on my particular distro are:
~/.mozilla/firefox/<profile>/cert9.db
~/.pki/nssdb/cert9.db
I am getting an error when attempting to install the root certificate authority to the trusted store; It is unable to create directory
/usr/share/ca-certificates/extra/
./usr/**/*
is writable by root only.update-ca-certificates
also requires root, because it updates/etc/ssl/certs
.Additionally, in order for certificates to be picked up in
/usr/share/ca-certificates/**/*
, their path needs to be added to/etc/ca-certificates.conf
(relative to/usr/share/ca-certificates
; with theextra
subdirectory, it would read, e.g.extra/<certname>.crt
); I can confirm that without this, the certificate is ignored. However, ALL certificates added to/usr/local/share/ca-certificates
will be trusted implicitly... i.e. they will be included in/etc/ssl/certs
whenupdate-ca-certificates
is run. IMO, it is better to just install the certificate in/usr/local/share/ca-certificates
.This is using Ubuntu 18.04; I think it's pretty standard across Debian/Ubuntu distros. I think RedHat is the same, up to 7ish? RHEL7/Fedora 19+ use
/etc/pki/ca-trust/source/anchors
. Don't quote me on this... would need to do some research. I'm not running any of those distros anymore, and it's been a while since I have. There's probably even more variations out there :man_shrugging:I was also getting an error when running
isInstalled()
:/usr/share/ca-certificates/extra
does not exist. Since/etc/ssl/certs
is a central repository of installed root certificates, wouldn't it make sense to look there? It is just a collection of symlinks. At the very least, should there should be a check to see if the directory exists before trying to read from it?