Re: update-ca-certificates
On Wed, Dec 13, 2023 at 9:58 PM Pocket <pocket@columbus.rr.com> wrote:
>
> On 12/13/23 21:47, Jeffrey Walton wrote:
> > On Wed, Dec 13, 2023 at 7:55 PM Pocket <pocket@columbus.rr.com> wrote:
> >> What formats does certs need to be to work with update-ca-certificates?
> >>
> >> PEM or DER?
> > PEM
>
> Ok since I am using an intermediate cert to sign, I am creating a
> combined PEM with the root CA and the intermediate cert like this
>
> cat "$directory"/certs/intermediate.cert.pem
> "$ca_directory"/certs/ca.cert.pem > "$directory"/certs/ca-chain.cert.pem
>
> Will that work or does the cert have to be a single cert?
I don't recall. I use one file for each certificate.
Oh, and the file extension should be *.crt, not *.pem.
> >> I have just finished writing some scripts to generate certs for my email
> >> server and nginx server.
> >>
> >> [...]
> >> Will pem format type certs work?
> > Yes.
> >
> > You should also place the certificates in
> > /usr/local/share/ca-certificates . Make the directory if it does not
> > exist. And then run update-ca-certificates from the directory.
>
> That sub directory does indeed exist, so I need to run
> update-cert-certificates from
>
> /usr/local/share/ca-certificates or can I just run update-cert-certificates as root?
I don't recall. I run update-ca-certificates from
/usr/local/share/ca-certificates as root.
You might also be interested in update-ca-certificates(8) at
<https://manpages.debian.org/buster/ca-certificates/update-ca-certificates.8.en.html>,
and OpenSSL's c_rehash at
<https://github.com/openssl/openssl/blob/master/tools/c_rehash.in>. In
the past, I believe update-ca-certificates relies upon c_rehash for
some operations.
Jeff
Reply to: