How to add trusted CA certificate on CentOS/Fedora

Introduction

If you have ever tried to connect to a server using TLS, you might have run in to an error like this saying the certificate is untrusted:

curl: (60) SSL certificate problem: self signed certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

You could set your client to ignore self-signed certificates (e.g. -k with curl), but the better practice is to properly add that certificate as a trusted certificate authority. We will look at how to do this in Fedora/CentOS/RedHat. Current versions right now are Fedora 31 and CentOS 8.

Move the cert to proper location

Copy the certificate pem to /etc/pki/ca-trust/source/anchors

cp mycert.pem /etc/pki/ca-trust/source/anchors/mycert.pem

Update trusted certificates

After moving the cert to /etc/pki/ca-trust/source/anchors/, then run update-ca-trust

This will reload all of the trusted certificates, including the one you added.

Set up a test environment

This step is optional, but if you do not have a web server and SSL certificate already you may want to create one for testing. You will need two things: an SSL certificate and a web server.

Generate a self-signed cert

You can generate a self-signed SSL certificate using OpenSSL. Learn more on my turotial Creating self-signed SSL certificates with OpenSSL.

You can use this one command in the shell to generate a cert. Be sure to change localhost if necessary. The hostname must match.

# Same thing but in different formatting
openssl \
  req \
  -newkey rsa:2048 -nodes \
  -keyout key.pem \
  -x509 -days 36500 -out cert.pem \
  -subj "/C=US/ST=NRW/L=Earth/O=CompanyName/OU=IT/CN=localhost/[email protected]"

Run an HTTPS web server

Once you have the certificate and key, you can run a simple web server that uses the cert for testing.

One option is to use OpenSSL itself. For example:

# There is no directory index listing, so you must visit a specific file
# e.g. https://localhost:9999/certificate.pem
openssl s_server -key privkey.pem -cert certificate.pem -accept 5000 -WWW

You can also use Python Flask. This small example will always return a 404, but it will let you know if your SSL certificate is causing an error. Be sure to have the flask package installed for Python and then run this Python code:

# pip install flask
from flask import Flask
Flask(__name__).run(ssl_context=('cert.pem', 'key.pem'))

Test the HTTPS request

You can use curl to test whether the SSL certificate is trusted or not.

Try running:

# Or whatever hostname/port you are using
curl https://localhost:5000

If the certificate is not trusted you will get an error telling you so, and letting you know you can use -k flag to ignore the error. If it works, you should see the proper HTTP response with no error messages related to SSL.

To learn more about curl, see my curl Tutorial.

Conclusion

After following this guide you should understand how to add an SSL/TLS certificate as a trusted certificate authority to prevent errors when connecting to a server and getting errors about self-signed certificates.

References