import site.body

Debian CA Root Installation

Installing CA certs in Debian

Installing a root CA certificate on your servers is an appealing option if you host many services and do not wish to pay the widely varying costs for certificates from "trusted" 3rd parties. Alternatively not having to deal with 3rd parties or the ability to include custom extensions can provide significant dividends when trying to administer your systems. In Debian this is a relatively straight forward affair however there is a right and wrong way to do this.

A quick look around the filesystem reveals the existence of an /etc/ssl/certs directory filled with certificates from various CAs around the world. However placing a certificate in this directory does not work as one would expect, Leaving you to scratch your head wondering why connections are being rejected with 'could not verify certificate' (openssl's wonderfully helpful message for being unable to verify your certificate was issued by a trusted authority).

Debian has multiple directories for managing certificates, /usr/share/ca-certificates and its local counterpart, /usr/local/share/ca-certificates and another at /etc/ssl/certs, this final directory managing which certificates are 'active' and the other 2 storing all actived and deactivated certificates. /etc/ssl/certs/ca-certificates also contains a list of all active certificates in /etc/ssl/certs and mainly exists for compatibility with older versions of openssl that only supported certificate stores in a single file and not a directory.

To install a certificate the 'correct' way and have it show up when you type dpkg-reconfigure ca-certificates try the steps below:

  • Create a directory under /usr/local/share/ca-certificates that corresponds to your certificates (in my case i chose the name 'pocketnix' for holding my certificates and created the directory with the following command: mkdir -p /usr/share/ca-certificates/pocketnix).
  • Copy the root CA to the directory mentioned above (in PEM format and ending in 'crt'), make note of this file name (PocketnixCA.crt for this example).
  • edit /etc/ca-certificates.conf with your favorite text editor and add a line for your certificate (for the example above, pocketnix/PocketnixCA.crt was added).
  • Regenerate ca-certificates.crt and /etc/ssl/certs with the update-ca-certificates command.
  • Try and log into the service that was throwing the warning or error before to confirm its all working.

That's it, the certificate is now installed and should survive updates of the CA certificates as well as allowing you to enable and disable it by re-configuring the ca-certificates package.

If you are looking for more information try having a look in the following directories on a Debian system with the ca-certificates package installed:

  • /usr/share/doc/ca-certificates/examples/ca-certificates-local/README This includes a guide to creating a Debian package with your certificates contained within it