Recipe 4.6 Installing a New SSL Certificate

4.6.1 Problem

You have a certificate that your SSL clients (mutt, openssl, etc.) cannot verify. It was issued by a Certifying Authority (CA) not included in your installed list of trusted issuers.

4.6.2 Solution

Add the CA's root certificate to the list, together with any other, intermediate certificates you may need. First, ensure the certificates are in PEM format. [Recipe 4.10] A PEM format file looks like this:


Then for Red Hat, simply add it to the file /usr/share/ssl/cert.pem.

Note that only the base64-encoded data between the BEGIN CERTIFICATE and END CERTIFICATE lines is needed. Everything else is ignored. The existing file includes a textual description of each certificate as well, which you can generate [Recipe 4.5] and include if you like.

For SuSE, supposing your CA certificate is in newca.pem, run:

# cp newca.pem /usr/share/ssl/certs
# /usr/bin/c_rehash

4.6.3 Discussion

Red Hat keeps certificates in a single file, whereas SuSE keeps them in a directory with a particular structure, a sort of hash table implemented using symbolic links. You can also use the hashed-directory approach with Red Hat if you like, since it includes the c_rehash program.

Many programs have their own certificate storage and do not use this system-wide list. Netscape and Mozilla use ~/.netscape/cert7.db, KDE applications use $KDEDIR/share/config/ksslcalist, Evolution has its own list, and so on. Consult their documentation on how to add a new trusted CA.

Before installing a new CA certificate, you should be convinced that it's authentic, and that its issuer has adequate security policies. After all, you are going to trust the CA to verify web site identities for you! Take the same level of care as you would when adding a new GnuPG key as a trusted introducer. [Recipe 7.9]

4.6.4 See Also


    Chapter 9. Testing and Monitoring