Re: update-ca-certificates

To: Pocket <pocket@columbus.rr.com>
Cc: "debian-user@lists.debian.org" <debian-user@lists.debian.org>
Subject: Re: update-ca-certificates
From: Jeffrey Walton <noloader@gmail.com>
Date: Thu, 14 Dec 2023 06:38:06 -0500
Message-id: <[🔎] CAH8yC8k-XB=hmx8ER4vj2kMeTdLN0wkdbsW1qQ3OwS2VcFP7XQ@mail.gmail.com>
Reply-to: noloader@gmail.com
In-reply-to: <[🔎] CAH8yC8mZ766toWmRQ2CCQ3pT87t_GAkrKOrPDRjV9Phefn39Xg@mail.gmail.com>
References: <[🔎] 8f940077-1197-451e-b765-5da729479811@columbus.rr.com> <[🔎] CAH8yC8kUrq02Hmptn9yAyH8HoJzaEuCgvg9NbDg0AZycLmzQ+A@mail.gmail.com> <[🔎] 9b77d308-7d5a-42be-8e4a-41be50a2a731@columbus.rr.com> <[🔎] CAH8yC8mZ766toWmRQ2CCQ3pT87t_GAkrKOrPDRjV9Phefn39Xg@mail.gmail.com>

On Wed, Dec 13, 2023 at 10:52 PM Jeffrey Walton <noloader@gmail.com> wrote:
>
> On Wed, Dec 13, 2023 at 9:58 PM Pocket <pocket@columbus.rr.com> wrote:
> >
> > On 12/13/23 21:47, Jeffrey Walton wrote:
> > > On Wed, Dec 13, 2023 at 7:55 PM Pocket <pocket@columbus.rr.com> wrote:
> > >> What formats does certs need to be to work with update-ca-certificates?
> > >>
> > >> PEM or DER?
> > > PEM
> >
> > Ok since I am using an intermediate cert to sign, I am creating a
> > combined PEM with the root CA and the intermediate cert like this
> >
> > cat "$directory"/certs/intermediate.cert.pem
> > "$ca_directory"/certs/ca.cert.pem > "$directory"/certs/ca-chain.cert.pem
> >
> > Will that work or does the cert have to be a single cert?
>
> I don't recall. I use one file for each certificate.
>
> Oh, and the file extension should be *.crt, not *.pem.
>
> > >> I have just finished writing some scripts to generate certs for my email
> > >> server and nginx server.
> > >>
> > >> [...]
> > >> Will pem format type certs work?
> > > Yes.
> > >
> > > You should also place the certificates in
> > > /usr/local/share/ca-certificates . Make the directory if it does not
> > > exist. And then run update-ca-certificates from the directory.
> >
> > That sub directory does indeed exist, so I need to run
> > update-cert-certificates from
> >
> > /usr/local/share/ca-certificates or can I just run update-cert-certificates as root?
>
> I don't recall. I run update-ca-certificates from
> /usr/local/share/ca-certificates as root.
>
> You might also be interested in update-ca-certificates(8) at
> <https://manpages.debian.org/buster/ca-certificates/update-ca-certificates.8.en.html>,
> and OpenSSL's c_rehash at
> <https://github.com/openssl/openssl/blob/master/tools/c_rehash.in>. In
> the past, I believe update-ca-certificates relies upon c_rehash for
> some operations.

I submitted a PR to update the documentation. The existing docs were
missing some useful options, and did not say how to add certificates
in a meaningful way.

Also see <https://salsa.debian.org/debian/ca-certificates/-/merge_requests/11>
and <https://salsa.debian.org/debian/ca-certificates/-/merge_requests/12>.

Jeff

Reply to:

References:
- update-ca-certificates
  - From: Pocket <pocket@columbus.rr.com>
- Re: update-ca-certificates
  - From: Jeffrey Walton <noloader@gmail.com>
- Re: update-ca-certificates
  - From: Pocket <pocket@columbus.rr.com>
- Re: update-ca-certificates
  - From: Jeffrey Walton <noloader@gmail.com>

Prev by Date: Re: raid10 is killing me, and applications that aren't willing towait for it to respond
Next by Date: LifeCD
Previous by thread: Re: update-ca-certificates
Next by thread: Re: update-ca-certificates
Index(es):
- Date
- Thread