It's difficult to tell whether I've succeeded in trusting a given certificate, after I have installed it, especially for root CAs.
To check whether I have successfully installed a certificate without making an SSL request to a server that may or may not provide it, I would like to list of all system wide available ssl certificates.
I followed the instructions here, and they worked:
https://serverfault.com/questions/559571/install-a-root-certificate-in-centos-6
Also, this asks a similar question, but gives an answer for gentoo systems:
Best Answer
// , Use the
openssl
command to get output from/etc/ssl/certs/ca-bundle.crt
Anyway, I tried the following, mostly copied from https://unix.stackexchange.com/a/97249/48498, and it seemed to work if I changed the filename to account for CentOS 6:
If you don't want to have to bother with the
--insecure
flag or its analogues on cURL,wget
, Git, etc, you can add a CA root certificate, self-signed certificate, or certificate chain to your trust store as follows:1. Follow the instructions to download the
.crt
,.pem
, or.cer
of your choice.2. Obtain the certificate you want to trust through whatever mechanism you use, often by downloading it from a central repository or by extracting it from an SSL handshake with
openssl s_client -showcerts -connect some.host.that.uses.that.root:443
, or such, and copy it to the following folder on the target CentOS 6 host:Run the following commands while logged in to the target host:
Verify the results on the Red Hat based OS, e.g.:
This should yield a long list of responses of the form:
Step #4 in the above answers this question, and the other steps provide context for the unwary.