We have moved to a new Sailfish OS Forum. Please start new discussions there.
35

Where can I add a system CA certificate

asked 2013-12-26 21:52:24 +0200

AL13N gravatar image

updated 2013-12-26 21:54:58 +0200

Where can I add a system CA certificate ( cacert )? the directory path for system CA certificates?

eg: my website is signed by it, and same thing with my mailserver (smtp, imap).

GUI question is here

edit retag flag offensive close delete

Comments

Certificates seem to be in /etc/pki/tls/certs

onion ( 2013-12-26 22:00:34 +0200 )edit

@onion the CA ones too?

AL13N ( 2013-12-26 22:04:47 +0200 )edit

4 Answers

Sort by » oldest newest most voted
16

answered 2014-01-12 12:38:35 +0200

AL13N gravatar image

updated 2014-01-12 12:42:18 +0200

Make sure you're root on your device, with devmode and devel-su, then first install openssl:

pkcon install openssl

Then go the CA path, fetch the root certificate and install it:

cd /etc/pki/tls/certs/
curl http://www.cacert.org/certs/root.crt -o ca-cert-root.pem
ln -s ca-cert-root.pem $( openssl x509 -hash -noout -in ca-cert-root.pem )".0"

Testing it with openssl:

openssl s_client -connect www.cacert.org:443 -CApath /etc/pki/tls/certs

unfortunately, the native browser doesn't seem to use the CA certificates, so, next you can follow this post.

edit flag offensive delete publish link more

Comments

3

The native browser is gecko/firefox based, it brings its own certificate storage, your observation is correct.

tbr ( 2014-01-12 15:15:11 +0200 )edit

Does it make sense to copy this openssl-named file to /system/etc/security/cacerts for android stuff? (copy not symbolic link!)

cy8aer ( 2014-03-24 14:50:46 +0200 )edit

I have followed the above to add Class 1 PKI Key Root Certificate and the below Class 3 PKI Key Intermediate Certificate but I am still getting in the web browser "This Connection is Untrusted" msg. when trying to access https page secured by CAcert.org certificates I have generated for the site (Error code is: sec_error_unknown_issuer).

m2 ( 2014-04-25 20:13:46 +0200 )edit
1

@m2 follow the link at the end of this answer! Repeating it here for clarity: https://together.jolla.com/question/835/browser-personal-certificates-import/?answer=8170#post-id-8170 This answer is NOT about importing certificates to be used by the browser!

tbr ( 2014-04-25 21:48:08 +0200 )edit

Is the "browser step" still needed with 1.1.7?

From the release notes: Introduce certificate handling middleware (p11-kit). All crypto libraries now share one CA store.

ilpianista ( 2015-07-15 14:01:37 +0200 )edit
10

answered 2014-01-15 18:00:50 +0200

nblr gravatar image

updated 2014-08-05 18:15:54 +0200

Instead of using the lengthy and awkward ln -s [...] you can use multi_c_rehash which is a quite convenient tool that came out of the mer project and can be used to create the hash-symlinks in the /etc/pki/tls/certs directory.

so... just place the (ca) certificate in the directory /etc/pki/tls/certs in pem format and run multi_c_rehash afterwards. - don't forget to devel_su first :-)

edit flag offensive delete publish link more
4

answered 2015-10-14 14:59:35 +0200

Jfish gravatar image

Hello!

Now do not necessarily need to install openssl.

Here are the contents of the file README(in /etc/pki/ca-trust/source/README) what to do.

This directory /etc/pki/ca-trust/source/ contains CA certificates and
trust settings in the PEM file format. The trust settings found here will be
interpreted with a high priority - higher than the ones found in 
/usr/share/pki/ca-trust-source/.
=============================================================================
QUICK HELP: To add a certificate in the simple PEM or DER file formats to the
        list of CAs trusted on the system:

        Copy it to the
                /etc/pki/ca-trust/source/anchors/
        subdirectory, and run the
                update-ca-trust
        command.

        If your certificate is in the extended BEGIN TRUSTED file format,
        then place it into the main source/ directory instead.
        =============================================================================
        Please refer to the update-ca-trust(8) manual page for additional information.
edit flag offensive delete publish link more

Comments

This sounds like iI just have to copy the certificate into the quoted path. Is that correct?

jsommer ( 2018-05-12 18:55:19 +0200 )edit
3

answered 2013-12-26 22:11:58 +0200

onion gravatar image

updated 2013-12-26 22:30:20 +0200

AL13N gravatar image

First, install openssl: pkcon install openssl

Go to /etc/pki/tls/certs

Then, download the ca-cert certificate: curl http://www.cacert.org/certs/class3.crt -o ca-cert-c3.pem

Get the required hash link using openssl:

ln -s ca-cert-c3.pem $( openssl x509 -hash -noout -in ca-cert-c3.pem )".0"

That should be it.

edit flag offensive delete publish link more

Comments

I'll accept the answer when i eventually get my Jolla :-)

AL13N ( 2013-12-26 22:30:42 +0200 )edit

tried that, but did not solve the original problem with XMPP with my own jabber server (see http://talk.maemo.org/showthread.php?t=92053). With "bool:ignore-ssl-errors=false" the native im-client does not connect.

thessy ( 2013-12-27 21:44:33 +0200 )edit

Kiitos, that works for apps using openssl. RFE: add a Makefile in /etc/pki/tls/certs like most distros have (shout if you want me to dig one out)

pcfe ( 2013-12-28 17:12:16 +0200 )edit
1

"is that really all for the certificates? What about /system/etc/security/cacerts? All out of the box certificates in /etc/pki/tls/certs seem to symbolic link into this directory... " (by @cy8aer )

AL13N ( 2013-12-30 18:38:08 +0200 )edit

@onion tried to verify with

openssl s_client -connect www.rmail.be:443 -CApath /etc/pki/tls/certs

and it failed to find issuer

AL13N ( 2014-01-12 01:21:21 +0200 )edit
Login/Signup to Answer

Question tools

Follow
24 followers

Stats

Asked: 2013-12-26 21:52:24 +0200

Seen: 7,319 times

Last updated: Oct 14 '15