Browsers have a list of trusted "certification authority" (CA) certificates. If a server's certificate is signed by one of those CA certificates and properly formed, you won't get the SSL warning.
Many browsers ship with many common CA certificates such as Verisign, Thawte, etc. Most browsers allow you to import a new CA into this list of trusted CAs.
Like creating your own self-signed server certificate, you can create your own self-signed CA certificate. You can then use that to sign your server certificate. If your CA is not provided by a well-known company, which it wouldn't be if it's one you made, it will have to be explicitly imported on the server side.
I've used xca
to do this before. It has templates for CAs and HTTP servers. The procedure is this:
- Create a private key for your CA
- Create a self-signed CA using this key using the "CA" template
- Create a private key for your proxy server
- Create a "certificate signing request" (CSR) using the second key, referencing the CA you just made.
- "Sign" the CSR and you'll have the proxy server certificate, which references your own CA.
You will then need to export (as a file if using xca
) the CA certificate (but don't include private key of course). A .pem
will be generated but you can change the extension to .crt
. When a user clicks on that, it will be offered to be installed on Firefox and Internet Explorer, and possibly other major browsers. As far as automatic installation of this .crt, you can:
- use group policy on IE
- direct users to an introduction page asking them to download/install the .crt if they want to avoid warnings.
You can then use the export functions on HTTP server certificate (export both private key and certificate for the server side) to put on your proxy server.
// , Use the openssl
command to get output from /etc/ssl/certs/ca-bundle.crt
Anyway, I tried the following, mostly copied from https://unix.stackexchange.com/a/97249/48498, and it seemed to work if I changed the filename to account for CentOS 6:
If you don't want to have to bother with the --insecure
flag or its analogues on cURL, wget
, Git, etc, you can add a CA root certificate, self-signed certificate, or certificate chain to your trust store as follows:
1.
Follow the instructions to download the .crt
, .pem
, or .cer
of your choice.
2.
Obtain the certificate you want to trust through whatever mechanism you use, often by downloading it from a central repository or by extracting it from an SSL handshake with openssl s_client -showcerts -connect some.host.that.uses.that.root:443
, or such, and copy it to the following folder on the target CentOS 6 host:
/etc/pki/ca-trust/source/anchors/
Run the following commands while logged in to the target host:
$ sudo update-ca-trust enable; sudo update-ca-trust extract
Verify the results on the Red Hat based OS, e.g.:
$ awk -v cmd='openssl x509 -noout -subject' '
/BEGIN/{close(cmd)};{print | cmd}' < /etc/ssl/certs/ca-bundle.crt
This should yield a long list of responses of the form:
subject= /C=US/O=MyCorp/CN=root-ca-2048
Step #4 in the above answers this question, and the other steps provide context for the unwary.
Best Answer
As already mentioned SUSE supports ca-certificates starting with openSUSE 13.1 / SLES 12.
The difference to debian/Ubuntu is the directory for your certififcates. The SLES man page to
update-ca-certificates
has these directories:The openSUSE package mentions these: