如何安装根证书?

如何安装根证书?

谁能给我提供一份关于在 Ubuntu 上安装根证书的好教程?

我已获得一个.crt文件。我认为需要在 处创建一个目录/usr/share/ca-certificates/newdomain.org并将 放置.crt 在该目录中。除此之外,我不确定如何继续。

答案1

给定一个 CA 证书文件foo.crt,按照以下步骤在 Ubuntu 上安装它:

  1. 在以下目录中创建额外的 CA 证书目录/usr/local/share/ca-certificates

    sudo mkdir /usr/local/share/ca-certificates/extra
    
  2. 将 CA.crt文件复制到此目录:

    sudo cp foo.crt /usr/local/share/ca-certificates/extra/foo.crt
    
  3. 让 Ubuntu 将.crt文件的相对于路径添加/usr/local/share/ca-certificates/etc/ca-certificates.conf

    sudo dpkg-reconfigure ca-certificates
    

    要以非交互方式执行此操作,请运行:

    sudo update-ca-certificates
    

如果是.pemUbuntu 上的文件,必须先将其转换为文件.crt

openssl x509 -in foo.pem -inform PEM -out foo.crt

或者.cer可以将文件转换为.crt文件:

openssl x509 -inform DER -in foo.cer -out foo.crt

答案2

给定一个 CA 证书文件“foo.crt”,按照以下步骤在 Ubuntu 上安装它:

首先,将你的 CA 复制到目录/usr/local/share/ca-certificates/

sudo cp foo.crt /usr/local/share/ca-certificates/foo.crt

然后,更新 CA 商店

sudo update-ca-certificates

就这样。你应该得到这个输出:

Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d....
Adding debian:foo.pem
done.
done.

无需编辑任何文件。将自动创建指向您的 CA 的链接。

请注意,证书文件名必须以 结尾.crt,否则update-ca-certificates脚本将无法接收它们。

此过程在较新版本中也有效:手册

答案3

澄清和之间update-ca-certificates以及dpkg-reconfigure ca-certificates为什么一个有效而另一个无效!!

  • update-ca-certificates或者sudo update-ca-certificates 只起作用是否/etc/ca-certificates.conf已更新。

  • /etc/ca-certificate.conf 仅更新一旦运行,dpkg-reconfigure ca-certificates就会更新要导入的证书名称/etc/ca-certificates.conf

文件标题中说明了这一点/etc/ca-certificates.conf

# This file lists certificates that you wish to use or to ignore to be
# installed in /etc/ssl/certs.
# update-ca-certificates(8) will update /etc/ssl/certs by reading this file.
#
# This is autogenerated by dpkg-reconfigure ca-certificates.  <=======
# Certificates should be installed under /usr/share/ca-certificates
# and files with extension '.crt' is recognized as available certs.
#
# line begins with # is comment.
# line begins with ! is certificate filename to be deselected.
#
mozilla/ACCVRAIZ1.crt
mozilla/AC_RAIZ_FNMT-RCM.crt
mozilla/Actalis_Authentication_Root_CA.crt
mozilla/AddTrust_External_Root.crt
...

如您所见,格式/etc/ca-certificates.conf<folder name>/<.crt name>

因此,为了使用update-ca-certificatessudo update-ca-certificates您可以执行以下操作来导入 .crt:

  1. 在 /usr/share/ca-certificates 中为额外的 CA 证书创建一个目录:

     sudo mkdir /usr/share/ca-certificates/extra
    
  2. 将 .crt 文件复制到此目录:

     sudo cp foo.crt /usr/share/ca-certificates/extra/foo.crt
    
  3. 追加一行到/etc/ca-certificates.conf使用<folder name>/<.crt name>

     echo "extra/foo.crt" | sudo tee -a /etc/ca-certificates.conf
    
  4. 更新证书非交互地使用 sudo update-ca-certificates

     $ sudo update-ca-certificates
     ...
     Updating certificates in /etc/ssl/certs...
     1 added, 0 removed; done.
    

答案4

对于 Ubuntu 18.04,其他答案对我不起作用。/etc/ssl/certs/ca-certificates.crt使用以下命令将证书证书附加到:

cat YOUR_CERT_HERE.crt >> /etc/ssl/certs/ca-certificates.crt 

相关内容