Re: update-ca-certificates
On Wed, Dec 13, 2023 at 09:47:41PM -0500, Jeffrey Walton wrote:
> On Wed, Dec 13, 2023 at 7:55 PM Pocket <pocket@columbus.rr.com> wrote:
> >
> > What formats does certs need to be to work with update-ca-certificates?
> >
> > PEM or DER?
>
> PEM
Well lets look at man update-ca-certificates, shall we?
"Certificates must have a .crt extension..."
>
> > I have just finished writing some scripts to generate certs for my email
> > server and nginx server.
> >
> > [...]
> > Will pem format type certs work?
>
> Yes.
>
> You should also place the certificates in
> /usr/local/share/ca-certificates . Make the directory if it does not
> exist. And then run update-ca-certificates from the directory.
>
again from the manual:
"It reads the file /etc/ca-certificates.conf. Each line gives a pathname
of a CA certificate under /usr/share/ca-certificates that should be
trusted. Lines that begin with "#" are comment lines and thus ignored.
Lines that begin with "!" are deselected, causing the deactivation of
the CA certificate in question. Certificates must have a .crt extension
in order to be included by update-ca-certificates."
It is not enough to just put them in that directory. You also have to
update /etc/ca-certificates.conf
-H
--
Henning Follmann | hfollmann@itcfollmann.com
Reply to: