Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

import self signed certificate in redhat

How can I import a self-signed certificate in Red-Hat Linux.

I'm not an expert with respect to certificates and find it difficult to find the right answer through googling, since I don't know the difference between a .cer, .crt or a .pem. Having said that, what I would like to do should not be rocket science (In windows I can do this with a few clicks in my browser) I want to connect to a server that makes use of a self-signed certificate. For example using wget, without having to use the --no-check-certificate option. To make this work I will have to add the self-signed certificate of the server to my RedHat box. I have found out the certificates reside in /etc/pki/tls. But I am at a loss what actions I should perform to make wget function without complaining.

I can get the SSL certificate from the server using:

openssl s_client -connect server:443

The certificate is between "BEGIN CERTIFICATE and END CERTIFICATE" I do not know what kind of certificate this is. Next I will have to put it in the /etc/pki/tls/certs directory and apply some openssl secert sauce I don't know about. Can you help?

like image 662
atomcoffee Avatar asked Mar 19 '14 14:03

atomcoffee


People also ask

How do I import a self signed certificate?

Import the self-signed certificate to the client Windows computer. On the Windows computer, start MMC (mmc.exe). Add the Certificates snap-in for the computer account and manage certificates for the local computer. Import the self-signed certificate into Trusted Root Certification Authorities > Certificates.

How import PEM file in Linux?

Navigate to Advanced > Certificates > Manage Certificates > Your Certificates > Import. From the "File name:" section of the Import window, choose Certificate Files from the drop-down, and then find and open the PEM file.


2 Answers

I don't know of a way to import a specific site-cert into OpenSSL's trust db (I wish I did!), but since you're talking about a self-signed cert we can approach it by importing your cert as new trusted CA cert. Warning though: you're also going to be trusting any sites that are signed by that cert.

Find and download the cert

You can download a self-signed cert directly from a site quickly with:

openssl s_client -connect server:443 <<<'' | openssl x509 -out /path/file 

Note that you should only do this in the case of a self-signed cert (as mentioned in the original question). If the cert is signed by some other CA, you can't run with the above; instead, you will need to find the appropriate CA cert and download that.

Import the cert and make it trusted

The update-ca-trust command was added in Fedora 19 and RHEL6 via RHEA-2013-1596. If you have it, your steps are dumb-simple (but require root/sudo):

  1. copy the CA cert to /etc/pki/ca-trust/source/anchors/
  2. update-ca-trust enable; update-ca-trust extract
  3. (Note that the enable command isn't necessary in RHEL7 & modern Fedora)

If you don't have update-ca-trust, it's only a little harder (and still requires root/sudo):

  1. cd /etc/pki/tls/certs
  2. copy the CA cert here
  3. ln -sv YOURCERT $(openssl x509 -in YOURCERT -noout -hash).0

PS: The question mentioned Red Hat, but for anyone looking at doing the same with something besides Fedora/RHEL, wiki.cacert.org/FAQ/ImportRootCert might be helpful.

like image 135
rsaw Avatar answered Sep 28 '22 00:09

rsaw


You can do what you want to do using these steps:

  1. Put the SSL certificate (including the "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" lines) into a file in the directory "/etc/pki/tls/certs" - for the sake of example, let's call it "myserver.pem".
  2. Compute the certificate hash of this certificate by running

    openssl x509 -noout -hash -in /etc/pki/tls/certs/myserver.pem

    for the sake of example, let's assume the hash value is "1a2b3c4d".

  3. Make a symbolic link in the certs directory based on this hash value, like this:

    ln -s /etc/pki/tls/certs/myserver.pem /etc/pki/tls/certs/1a2b3c4d.0

    I'm assuming that there are no other certificates already in this directory that hash to the same hash value - if there already is a "1a2b3c4d.0", then make your link "1a2b3c4d.1" instead (or if there's already a ".1", make yours ".2", etc...)

wget and other tools that use SSL will then recognize that certificate as valid. There may be a simpler way to do this using a GUI but works to do it via the command line.

like image 27
patbarron Avatar answered Sep 28 '22 00:09

patbarron