Installing own CA root certificate into openSUSE
Monday, February 3. 2014
This puzzled me for a while. It is almost impossible to install the root certificate from own CA into openSUSE Linux and make it stick. Initially I tried the classic /etc/ssl/certs/-directory which works for every OpenSSL-installation. But in this case it looks like some sort of script cleans out all weird certificates from it, so effectively my own changes won't last beyond couple of weeks.
This issue is really poorly documented. Also searching the Net yields no usable results. I found something usable in Nabble from a discussion thread titled "unify ca-certificates installations". There they pretty much confirm the fact that there is a script doing the updating. Luckily they give a hint about the script.
To solve this, the root certificate needs to be in /etc/pki/trust/anchors/. When the certificate files (in PEM-format) are placed there, do the update with update-ca-certificates -command. Example run:
# /usr/sbin/update-ca-certificates
2 added, 0 removed.
The script, however, does not process revocation lists properly. I didn't find anything concrete about them, except manually creating symlinks to /var/lib/ca-certificates/openssl/ -directory.
Example of verification failing:
# openssl verify -crl_check_all test.certificate.cer
test.certificate.cer: CN = test.site.com
error 3 at 0 depth lookup:unable to get certificate CRL
To get this working, we'll need a hash of the revocation list. The hash value is actually same than the certificate hash value, but this is how you'll get it:
openssl crl -noout -hash -in /etc/pki/trust/anchors/revoke.crl
Then create the symlink:
ln -s /etc/pki/trust/anchors/revoke.crl \
/var/lib/ca-certificates/openssl/-the-hash-.r0
Now test the verify again:
# openssl verify -crl_check_all test.certificate.cer
test.certificate.cer: OK
Yesh! It works!
Funny how openSUSE chose a completely different way of handling this... and then chose not to document it enough.
Alexander on :
This probably saved me from hours of research!
Jari Turkia on :
Adam Williamson on :
This isn't true and never has been. RHEL and Fedora have never used that directory in the same way as Debian; it exists on RHEL/Fedora since https://bugzilla.redhat.com/show_bug.cgi?id=572725 , but isn't really much use at all. Debian's system which handles /etc/ssl/certs in a specific way has only ever been present on Debian and its derivatives.
The system SUSE is using seems to be its own homegrown one - looks like https://github.com/openSUSE/ca-certificates - which means Fedora/RHEL, SUSE, and Debian each have their own system for generating a system trust store from individual certs and CRLs...joy.
Fedora/RHEL's system is https://fedoraproject.org/wiki/Features/SharedSystemCertificates . Arch now uses it as well.
Jari Turkia on :
I'm not sure which part of "Installing own CA root certificate into openSUSE" gears your thinking towards RHEL / Fedora. There must be some hidden logic which isn't obvious to me.
The default location for certs-directory according to OpenSSL source code (https://github.com/openssl/openssl/blob/OpenSSL_1_0_2-stable/Makefile.org) is /usr/local/ssl/certs. Obviously, any Linux distro packager will change that.
To confirm this I downloaded OpenSSL source code of openSUSE 12.3 from http://download.opensuse.org/source/distribution/12.3/repo/oss/suse/src/openssl-1.0.1e-1.1.1.src.rpm. It clearly says:
%define ssletcdir %{_sysconfdir}/ssl
config_flags=--openssldir=%{ssletcdir}
./config $config_flags
... making the OpenSSL default directory into /etc/ssl/certs/. Which, then again, any openSUSE user can confirm from their own installation.
This makes my original statement correct and your new one incorrect. Care to comment on that one?
cary on :
it's really helpful and solved my problem. i've searched for long time to install the private crt into root, but they're always the guide of ubuntu or other things. no words about opensuse, but only you!
lol
really thanks.