Ask / Submit
33

Where can I add a system CA certificate

asked 2013-12-26 21:52:24 +0300

AL13N gravatar image

updated 2013-12-26 21:54:58 +0300

Where can I add a system CA certificate ( cacert )? the directory path for system CA certificates?

eg: my website is signed by it, and same thing with my mailserver (smtp, imap).

GUI question is here

edit retag flag offensive close delete

Comments

Certificates seem to be in /etc/pki/tls/certs

onion ( 2013-12-26 22:00:34 +0300 )edit

@onion the CA ones too?

AL13N ( 2013-12-26 22:04:47 +0300 )edit

4 Answers

Sort by » oldest newest most voted
13

answered 2014-01-12 12:38:35 +0300

AL13N gravatar image

updated 2014-01-12 12:42:18 +0300

Make sure you're root on your device, with devmode and devel-su, then first install openssl:

pkcon install openssl

Then go the CA path, fetch the root certificate and install it:

cd /etc/pki/tls/certs/
curl http://www.cacert.org/certs/root.crt -o ca-cert-root.pem
ln -s ca-cert-root.pem $( openssl x509 -hash -noout -in ca-cert-root.pem )".0"

Testing it with openssl:

openssl s_client -connect www.cacert.org:443 -CApath /etc/pki/tls/certs

unfortunately, the native browser doesn't seem to use the CA certificates, so, next you can follow this post.

edit flag offensive delete publish link more

Comments

2

The native browser is gecko/firefox based, it brings its own certificate storage, your observation is correct.

tbr ( 2014-01-12 15:15:11 +0300 )edit

Does it make sense to copy this openssl-named file to /system/etc/security/cacerts for android stuff? (copy not symbolic link!)

cy8aer ( 2014-03-24 14:50:46 +0300 )edit

I have followed the above to add Class 1 PKI Key Root Certificate and the below Class 3 PKI Key Intermediate Certificate but I am still getting in the web browser "This Connection is Untrusted" msg. when trying to access https page secured by CAcert.org certificates I have generated for the site (Error code is: sec_error_unknown_issuer).

m2 ( 2014-04-25 20:13:46 +0300 )edit

@m2 follow the link at the end of this answer! Repeating it here for clarity: https://together.jolla.com/question/835/browser-personal-certificates-import/?answer=8170#post-id-8170 This answer is NOT about importing certificates to be used by the browser!

tbr ( 2014-04-25 21:48:08 +0300 )edit

Is the "browser step" still needed with 1.1.7?

From the release notes: Introduce certificate handling middleware (p11-kit). All crypto libraries now share one CA store.

ilpianista ( 2015-07-15 14:01:37 +0300 )edit
10

answered 2014-01-15 18:00:50 +0300

nblr gravatar image

updated 2014-08-05 18:15:54 +0300

Instead of using the lengthy and awkward ln -s [...] you can use multi_c_rehash which is a quite convenient tool that came out of the mer project and can be used to create the hash-symlinks in the /etc/pki/tls/certs directory.

so... just place the (ca) certificate in the directory /etc/pki/tls/certs in pem format and run multi_c_rehash afterwards. - don't forget to devel_su first :-)

edit flag offensive delete publish link more
3

answered 2013-12-26 22:11:58 +0300

onion gravatar image

updated 2013-12-26 22:30:20 +0300

AL13N gravatar image

First, install openssl: pkcon install openssl

Go to /etc/pki/tls/certs

Then, download the ca-cert certificate: curl http://www.cacert.org/certs/class3.crt -o ca-cert-c3.pem

Get the required hash link using openssl:

ln -s ca-cert-c3.pem $( openssl x509 -hash -noout -in ca-cert-c3.pem )".0"

That should be it.

edit flag offensive delete publish link more

Comments

I'll accept the answer when i eventually get my Jolla :-)

AL13N ( 2013-12-26 22:30:42 +0300 )edit

tried that, but did not solve the original problem with XMPP with my own jabber server (see http://talk.maemo.org/showthread.php?t=92053). With "bool:ignore-ssl-errors=false" the native im-client does not connect.

thessy ( 2013-12-27 21:44:33 +0300 )edit

Kiitos, that works for apps using openssl. RFE: add a Makefile in /etc/pki/tls/certs like most distros have (shout if you want me to dig one out)

pcfe ( 2013-12-28 17:12:16 +0300 )edit
1

"is that really all for the certificates? What about /system/etc/security/cacerts? All out of the box certificates in /etc/pki/tls/certs seem to symbolic link into this directory... " (by @cy8aer )

AL13N ( 2013-12-30 18:38:08 +0300 )edit

@onion tried to verify with

openssl s_client -connect www.rmail.be:443 -CApath /etc/pki/tls/certs

and it failed to find issuer

AL13N ( 2014-01-12 01:21:21 +0300 )edit
2

answered 2015-10-14 14:59:35 +0300

Jfish gravatar image

Hello!

Now do not necessarily need to install openssl.

Here are the contents of the file README(in /etc/pki/ca-trust/source/README) what to do.

This directory /etc/pki/ca-trust/source/ contains CA certificates and
trust settings in the PEM file format. The trust settings found here will be
interpreted with a high priority - higher than the ones found in 
/usr/share/pki/ca-trust-source/.
=============================================================================
QUICK HELP: To add a certificate in the simple PEM or DER file formats to the
        list of CAs trusted on the system:

        Copy it to the
                /etc/pki/ca-trust/source/anchors/
        subdirectory, and run the
                update-ca-trust
        command.

        If your certificate is in the extended BEGIN TRUSTED file format,
        then place it into the main source/ directory instead.
        =============================================================================
        Please refer to the update-ca-trust(8) manual page for additional information.
edit flag offensive delete publish link more
Login/Signup to Answer

Question tools

Follow
23 followers

Stats

Asked: 2013-12-26 21:52:24 +0300

Seen: 5,124 times

Last updated: Oct 14 '15