My work has decided to issue their own certificate authority (CA) to handle different aspects of our work securely without paying for certificates.
- Cryptographically sign emails
- Encrypt email contents
- Make access to things like the company IRC client-certificate based.
- Revoke the keys of former employees automatically
They sent me a .pem
file, and I'm not sure how to add it to my Ubuntu install. The instructions sent were: "Double-clicking on it on a Mac should install it."
How do I proceed? Do I need to do something with OpenSSL to create a .key
, .csr
, or .crt
file?
Best Answer
Installing a CA
Copy your certificate in PEM format (the format that has
----BEGIN CERTIFICATE----
in it) into/usr/local/share/ca-certificates
and name it with a.crt
file extension.Then run
sudo update-ca-certificates
.Caveats: This installation only affects products that use this certificate store. Some products may use other certificate stores; if you use those products, you'll need to add this CA certificate to those other certificate stores, too. (Firefox Instructions, Chrome Instructions, Java Instructions)
Testing The CA
You can verify if this worked by looking for the certificate that you just added in
/etc/ssl/certs/ca-certificates.crt
(which is just a long list of all of your trusted CA's concatenated together).You can also use OpenSSL's s_client by trying to connect to a server that you know is using a certificate signed by the CA that you just installed.
The first thing to look for is the certificate chain near the top of the output. This should show the CA as the issuer (next to
i:
). This tells you that the server is presenting a certificate signed by the CA you're installing.Second, look for the
verify return code
at the end to be set to0 (ok)
.