Add a custom certificate authority to Ubuntu

certificate ssl

In short: You need to update every application by itself

Not even Firefox and Thunderbird share certificates.

Unfortunately Linux has no central place to store/manage SSL-certificates. Windows does have such a place but in the end you end up with the same problem (Firefox/Thunderbird won't use the Windows provided API to determine validity of an SSL cert)

I'd go with something like puppet/cfengine on each of the hosts and place the needed root certificates on all the clients with the mechanisms those tools provide.


Sadly programs like firefox and thunderbird use their own database.

However you could write a script to find all the profiles, then add the cert. Here is the tool to add the cert: http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html

As well you can setup a default cert8.db file, so new profiles will get it too.

For other applications its a matter of if they support the central store or not.


The method you've specified will update the central /etc/ssl/certs/ca-certificates.crt. However, you'll find most applications aren't configured to use this file. Most applications can be configured to point at the central file. There's no automatic way of making everything use this file without reconfiguring them.

It may be worth filing bugs in Ubuntu/Debian to use this file by default.

Related

Common WQL Monitoring Queries
How can I switch an existing set of Subversion repositories to use ActiveDirectory? (svnserve/windows)
Remote Desktop fails without error message
can someone explain IOSTAT ouput?
Installing SSL Certificate for use in IIS7, installation "works", but cert listing disappears
How can I balance incoming web traffic amongst N apache servers?
nmap does not find alive hosts with ping scan
How does BER compare between different 10GbE physical media?
How do you document/track your permissions
Why is Linux kdump not writing to /var/crash?
How to stop SSH passphrase prompt? [closed]
How can I disable an Azure Redis Cache?