Trusting additional CAs in Fedora / RHEL / CentOS: an alternative to editing /etc/pki/tls/certs/ca-bundle.crt (or /etc/pki/tls/cert.pem)
Around the internet, you can find various pages advising appending CA certificates to /etc/pki/tls/certs/ca-bundle.crt
or /etc/pki/tls/cert.pem
(they're the same file, one's a symlink to the other) as a good way to trust them.
This may be necessary, but it has drawbacks (the main one being that once you've edited the file, it will no longer be automatically updated; updates will appear as ca-bundle.crt.rpmnew
and you'll have to remember to manually move it to ca-bundle.crt
and re-append your custom certs). There's an alternative approach that may be better for you, even on really old RHEL / CentOS.
On Fedora since 19, RHEL / CentOS 7, and RHEL / CentOS 6 since this update, the Shared System Certificates feature is available. With that system, the correct method is to place the certificate to be trusted (in PEM format) in /etc/pki/ca-trust/source/anchors/
and run sudo update-ca-trust
. (If the certificate is in OpenSSL's extended BEGIN TRUSTED CERTIFICATE
format, place it in /etc/pki/ca-trust/source
). On RHEL 6, you have to activate the system with update-ca-trust enable
after installing the update; if you don't want to use it, you can try the approach below.
On RHEL / CentOS 5, that system isn't available. But it's still not a good idea to modify the distribution's bundle file unless you really have to, as explained above.
Instead of appending to the bundle file, you can try placing the certificate to be trusted (in PEM format with the extension .pem
) in /etc/pki/tls/certs
and run sudo c_rehash
(you may need a yum install /usr/bin/c_rehash
). The .pem
extension is important, c_rehash
will only process files with this extension.
Readers of my last post may grok what's going on there: /etc/pki/tls/certs
is OpenSSL's 'default CApath' on RHEL/CentOS, and OpenSSL will trust both certificates found in the 'default CAfile' - /etc/pki/tls/cert.pem
- and in the 'default CApath' - /etc/pki/tls/certs
.
The caveat is that this only works for things that use OpenSSL and use its default trust store locations. It won't work for apps that use OpenSSL but directly use the bundle file instead of using OpenSSL's 'default trust store' function, and it won't work for anything based on GnuTLS (whereas editing the bundle file often will, as we often have those patched to load the bundle file directly).
So sometimes you just have to edit the bundle file - but in some cases you might be able to avoid it.
Comments
By convention, software packages that needed to install anchors for some reason would put them in /usr/share/pki/ca-trust-source , while /etc/pki/ca-trust/source would be for the sysadmin to use.