Re: update-ca-certificates

To: debian-user@lists.debian.org
Subject: Re: update-ca-certificates
From: Pocket <pocket@columbus.rr.com>
Date: Thu, 14 Dec 2023 08:40:56 -0500
Message-id: <[🔎] be6c4427-3963-46cc-b85f-8007ba48c8d6@columbus.rr.com>
In-reply-to: <[🔎] ZXr-8OGU8ftO6Fn_@oppenheimer.itcfollmann.com>
References: <[🔎] 8f940077-1197-451e-b765-5da729479811@columbus.rr.com> <[🔎] CAH8yC8kUrq02Hmptn9yAyH8HoJzaEuCgvg9NbDg0AZycLmzQ+A@mail.gmail.com> <[🔎] ZXr-8OGU8ftO6Fn_@oppenheimer.itcfollmann.com>


On 12/14/23 08:11, Henning Follmann wrote:

On Wed, Dec 13, 2023 at 09:47:41PM -0500, Jeffrey Walton wrote:

On Wed, Dec 13, 2023 at 7:55 PM Pocket <pocket@columbus.rr.com> wrote:

What formats does certs need to be to work with update-ca-certificates?

PEM or DER?

PEM

Well lets look at man update-ca-certificates, shall we?

"Certificates must have a .crt extension..."


Lets have a look at some of the standards shall we?

https://www.ssl.com/guide/pem-der-crt-and-cer-x-509-encodings-and-conversions/

A cert that have a suffix of .crt are in DER format by this convention.maybe the script should actually look for PEM files?

Should the suffix of the file be .pem as the certs that are referencedby the conf file seem to be in PEM format?


Well yes that would eliminate the confusion and we can not have that can we.

I have just finished writing some scripts to generate certs for my email
server and nginx server.

[...]
Will pem format type certs work?

Yes.

You should also place the certificates in
/usr/local/share/ca-certificates . Make the directory if it does not
exist. And then run update-ca-certificates from the directory.

again from the manual:
"It reads the file /etc/ca-certificates.conf. Each line gives a pathname
        of a CA certificate under  /usr/share/ca-certificates  that  should  be
        trusted.  Lines that begin with "#" are comment lines and thus ignored.
        Lines that begin with "!" are deselected, causing the  deactivation  of
        the CA certificate in question. Certificates must have a .crt extension
        in order to be included by update-ca-certificates."


It is not enough to just put them in that directory. You also have to
update /etc/ca-certificates.conf


-H



Is that in the bash script?

I don't see it can you point it out?

Doesn't it also say /usr/local/share/ca-certificates also is in play?

Notice the man page has noting about the format and if each cert must bea single file or can you concat multiple certs into a single file.


The docs are clearly insufficient.

I am currently looking at the bash script, not the docs.


--

It's not easy to be me

Reply to:

Follow-Ups:
- Re: update-ca-certificates
  - From: Linux-Fan <Ma_Sys.ma@web.de>

References:
- update-ca-certificates
  - From: Pocket <pocket@columbus.rr.com>
- Re: update-ca-certificates
  - From: Jeffrey Walton <noloader@gmail.com>
- Re: update-ca-certificates
  - From: Henning Follmann <hfollmann@itcfollmann.com>

Prev by Date: Re: update-ca-certificates
Next by Date: openssh: missing kex_exchange_identification ssh error messages with 1:9.5p1-2?
Previous by thread: Re: update-ca-certificates
Next by thread: Re: update-ca-certificates
Index(es):
- Date
- Thread