[lug] self-signed ssl certs under CentOS

Lee Woodworth blug-mail at duboulder.com
Fri Jan 27 01:54:51 MST 2017 

Don't know CentOS, but since I haven't seen anyone post instructions
I will suggest something to try.

Check that your cert and ca-bundle.crt are in the same format,
hopefully PEM:

  $ file /etc/ssl/certs/ca-certificates.crt
  /etc/ssl/certs/ca-certificates.crt: PEM certificate

  $ head /etc/ssl/certs/ca-certificates.crt
  -----BEGIN CERTIFICATE-----
  MIIH0zCCBbugAwIBAgIIXsO3pkN/pOAwDQYJKoZIhvcNAQEFBQAwQjESMBAGA1UE
  AwwJQUNDVlJBSVoxMRAwDgYDVQQLDAdQS0lBQ0NWMQ0wCwYDVQQKDARBQ0NWMQsw

If your certs are in PEM format and a grep of /etc/pki/tls/certs/ca-bundle.crt
for text unique to your ca cert returns something, your ca cert may be getting
rejected for not being configured as a ca certificate**. You might look at
easy-rsa for setting up a private PKI that can generate CA, server and client
certs without too much work.

Otherwise concatenating your PEM encoded ca cert to ca-bundle.crt
might work.

HTH

-------------------------

** $ openssl x509 -in /etc/ssl/certs/ca-certificates.crt -noout -text
...
    X509v3 Basic Constraints: critical
        CA:TRUE
...
    X509v3 Key Usage: critical
        Certificate Sign, CRL Sign
...

On 01/26/2017 04:13 PM, Michael J. Hammel wrote:
> Does anyone have a concise set of steps for dropping a self-signed cert
> in .pem format onto CentOS 7 so libCurl will use it?
> 
> I've tried following the directions for update-ca-trust by dropping the
> file in the following directories, one at time
> 
>    /etc/pki/ca-trust/source/anchors
>    /etc/pki/ca-trust/source/
>    /etc/pki/ca-trust/extracted/pem/
> 
> And then running
> 
>     update-ca-trust extract
> 
> after each.  Then I run a C client that uses libCurl, but I always get
> this:
> 
> * Initializing NSS with certpath: sql:/etc/pki/nssdb
> *   CAfile: /etc/pki/tls/certs/ca-bundle.crt
>   CApath: none
> * Server certificate:
> *       subject: CN=xxx,OU=xxx,O=xxx,L=Colorado
> Springs,ST=Colorado,C=US
> *       start date: Jan 26 22:51:10 2017 GMT
> *       expire date: Jan 24 22:51:10 2027 GMT
> *       common name: xxx
> *       issuer: CN=xxx,OU=xxx,O=xxx,L=Colorado Springs,ST=Colorado,C=US
> * NSS error -8156 (SEC_ERROR_CA_CERT_INVALID)
> * Issuer certificate is invalid.
> 
> (xxx are redacted fields).  The same cert works on Debian, which has a
> much simpler process: just drop the file in /etc/ssl/certs.  Does a
> cert generated on Debian have to be regenerated on CentOS?   I didn't
> think so but who knows.
>

More information about the LUG mailing list