Adding SSL certificate for Github only (not all certificates from ca-certificates package)

certificatesgitgithubssl

I get the following error when accessing Github over HTTPS:

error: server certificate verification failed. 
CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none

This is because I don't have any certificates in /etc/ssl/certs/. I know how to fix this problem. I can install the package ca-certificates from Debian repository. The problem is, however, that this will install all certificates (thousands) which I don't necessarily want to accept/trust.

How can I install certificate for Github only?

a Subproblem/Subquestion

On another machine, where the package ca-certificates is already installed and git works, I have noticed that some certificates in /etc/ssl/certs/ are one-certificate-per-file and other are many-certificates-in-one-file. The particular file containing Github certificate, /etc/ssl/certs/ca-certificates.crt contains over 150 other certificates:

$ grep 'BEGIN CERTIFICATE' /etc/ssl/certs/ca-certificates.crt | wc -l
159

How can I find which one out of these 159 certificate is the one I need? (other than brute force – slicing the file in halves and checking both halves, repeating while n > 1).

Best Answer

In order to access your Github you need to do it via ssh. So you need to add your ssh public key to github. After that you are able to access github via ssh i.e.:

git init git@github.com:yourname/yourrepo.git

[Edit #1]

without certificate checks:

GIT_SSL_NO_VERIFY=true git clone https://github.com/p/repo.git

or authenticated

GIT_SSL_NO_VERIFY=true git clone https://user@pass:github.com/p/repo.git

For me it is still not clear what are you asking for, because you know that installing ca-certificates will fix the problem.

[Edit #2]

Ok, the other question was

how to have only the certificate which is needed to access github.com via https

Open your browser and navigate to https://github.com/. Klick on the green name on the left from https:// and klick on Certificates. On the Details tab, you'll see the certificate chain, which is:
```
DigiCert ...
  DigiCert ...
   github.com ...
```
Export each of the DigiCert certicates to a file.
copy the files to /etc/ssl/certs/
run c_rehash which cat all certificates to ca-certificates.crt
you are done.

As I said, I am not a friend of such actions because github can change the CA's anytime, so it will always result in additional work.

Related Solutions

How to extract all subjects of a cacertfile with the openssl command line

Unfortunately I don't believe OpenSSL can do that. OpenSSL assumes one cert per file for x509 actions.

According to this site you have to split them into individual files. He even provides a perl script that will split it for you. You could then loop over the files, or modify the perl script to extract the subject directly.

How to install a system-wide SSL certificate on openSUSE

As already mentioned SUSE supports ca-certificates starting with openSUSE 13.1 / SLES 12.

The difference to debian/Ubuntu is the directory for your certififcates. The SLES man page to update-ca-certificates has these directories:

FILES
   /usr/share/pki/trust/anchors
          Directory of CA certificate trust anchors.

   /usr/share/pki/trust/blacklist
          Directory of blacklisted CA certificates

   /etc/pki/trust/anchors
          Directory of CA certificate trust anchors for use by the admin

   /etc/pki/trust/blacklist
          Directory of blacklisted CA certificates for use by the admin

The openSUSE package mentions these:

- Packages are expected to install their CA certificates in 
  /usr/share/pki/trust/anchors or /usr/share/pki/trust (no extra subdir) instead
  of /usr/share/ca-certificates/<vendor> now. The anchors subdirectory is for
  regular pem files, the directory one above for pem files in
  openssl's 'trusted' format.

a Subproblem/Subquestion

Best Answer

Related Solutions

How to extract all subjects of a cacertfile with the openssl command line

How to install a system-wide SSL certificate on openSUSE

Related Question