asked 2013-12-26 21:52:24 +0300
Where can I add a system CA certificate ( cacert )? the directory path for system CA certificates?
eg: my website is signed by it, and same thing with my mailserver (smtp, imap).
GUI question is here
answered 2014-01-12 12:38:35 +0300
Make sure you're root on your device, with devmode and devel-su, then first install openssl:
pkcon install openssl
Then go the CA path, fetch the root certificate and install it:
cd /etc/pki/tls/certs/
curl http://www.cacert.org/certs/root.crt -o ca-cert-root.pem
ln -s ca-cert-root.pem $( openssl x509 -hash -noout -in ca-cert-root.pem )".0"
Testing it with openssl:
openssl s_client -connect www.cacert.org:443 -CApath /etc/pki/tls/certs
unfortunately, the native browser doesn't seem to use the CA certificates, so, next you can follow this post.
The native browser is gecko/firefox based, it brings its own certificate storage, your observation is correct.
tbr ( 2014-01-12 15:15:11 +0300 )Does it make sense to copy this openssl-named file to /system/etc/security/cacerts for android stuff? (copy not symbolic link!)
cy8aer ( 2014-03-24 14:50:46 +0300 )I have followed the above to add Class 1 PKI Key Root Certificate and the below Class 3 PKI Key Intermediate Certificate but I am still getting in the web browser "This Connection is Untrusted" msg. when trying to access https page secured by CAcert.org certificates I have generated for the site (Error code is: sec_error_unknown_issuer).
m2 ( 2014-04-25 20:13:46 +0300 )@m2 follow the link at the end of this answer! Repeating it here for clarity: https://together.jolla.com/question/835/browser-personal-certificates-import/?answer=8170#post-id-8170 This answer is NOT about importing certificates to be used by the browser!
tbr ( 2014-04-25 21:48:08 +0300 )Is the "browser step" still needed with 1.1.7?
From the release notes: Introduce certificate handling middleware (p11-kit). All crypto libraries now share one CA store.
ilpianista ( 2015-07-15 14:01:37 +0300 )answered 2014-01-15 18:00:50 +0300
Instead of using the lengthy and awkward ln -s [...] you can use multi_c_rehash which is a quite convenient tool that came out of the mer project and can be used to create the hash-symlinks in the /etc/pki/tls/certs directory.
so... just place the (ca) certificate in the directory /etc/pki/tls/certs in pem format and run multi_c_rehash afterwards.
- don't forget to devel_su first :-)
answered 2015-10-14 14:59:35 +0300
Hello!
Now do not necessarily need to install openssl.
Here are the contents of the file README(in /etc/pki/ca-trust/source/README) what to do.
This directory /etc/pki/ca-trust/source/ contains CA certificates and
trust settings in the PEM file format. The trust settings found here will be
interpreted with a high priority - higher than the ones found in
/usr/share/pki/ca-trust-source/.
=============================================================================
QUICK HELP: To add a certificate in the simple PEM or DER file formats to the
list of CAs trusted on the system:
Copy it to the
/etc/pki/ca-trust/source/anchors/
subdirectory, and run the
update-ca-trust
command.
If your certificate is in the extended BEGIN TRUSTED file format,
then place it into the main source/ directory instead.
=============================================================================
Please refer to the update-ca-trust(8) manual page for additional information.
This sounds like iI just have to copy the certificate into the quoted path. Is that correct?
jsommer ( 2018-05-12 18:55:19 +0300 )answered 2013-12-26 22:11:58 +0300
First, install openssl: pkcon install openssl
Go to /etc/pki/tls/certs
Then, download the ca-cert certificate: curl http://www.cacert.org/certs/class3.crt -o ca-cert-c3.pem
Get the required hash link using openssl:
ln -s ca-cert-c3.pem $( openssl x509 -hash -noout -in ca-cert-c3.pem )".0"
That should be it.
tried that, but did not solve the original problem with XMPP with my own jabber server (see http://talk.maemo.org/showthread.php?t=92053). With "bool:ignore-ssl-errors=false" the native im-client does not connect.
thessy ( 2013-12-27 21:44:33 +0300 )Kiitos, that works for apps using openssl. RFE: add a Makefile in /etc/pki/tls/certs like most distros have (shout if you want me to dig one out)
pcfe ( 2013-12-28 17:12:16 +0300 )Asked: 2013-12-26 21:52:24 +0300
Seen: 7,390 times
Last updated: Oct 14 '15
Certificates seem to be in /etc/pki/tls/certs
onion ( 2013-12-26 22:00:34 +0300 )Related: https://together.jolla.com/question/835/browser-personal-certificates-import/
Tanghus ( 2013-12-26 22:03:58 +0300 )@onion the CA ones too?
AL13N ( 2013-12-26 22:04:47 +0300 )