How does one install a custom CA certificate on CentOS?
I'm trying to install a certificate for my internal certificate server on a series of CentOS systems, and I'm finding the documentation on this to be almost non existent.
My end goal is to be able to use git, curl, and others against internal secure servers without errors.
On Ubuntu it's simple enough, you throw the certificate in a folder and run a command to generate a series of links to add the CA cert to the certification path.
I can not for the life of me find out how to do this on CentOS.. plenty of information is available on trusting random certificates. (To wit: create a symlink in /etc/pki/tls/certs to the PEM encoded cert file, named with the hash of the certificate. Didn't work for my CA, since the aforementioned apps still can't verify a certificate signed by the CA).
How do you install a new root CA on a CentOS system?
Solution 1:
As of CentOS 6+, there is a tool for this. Per this guide, certificates can be installed first by enabling the system shared CA store:
update-ca-trust enable
Then placing the certificates to trust as CA's in /etc/pki/ca-trust/source/anchors/ for high priority (non-overridable), or /usr/share/pki/ca-trust-source/ (lower priority, overridable), and finally updating the system store with:
update-ca-trust extract
Et voila, system tools will now trust those certificates when making secure connections!
Solution 2:
Unfortunately I don't think there is a single centralized way to do this in CentOS. I've spent a great deal of time trying to accomplish the same thing. The primary pki tls certificate store is used for a lot but definitely not everything.
My solution has been to maintain a puppet module that will push an updated certificate store to each location used per product. The basic logic is if a given store exists then add my custom entry.
This isn't perfect - some tomcat instances I deploy have an internal Java install with a non standard cacerts directory for one -that but it handles most of my needs.