How do I trust a self signed certificate?

You want to trust a single-self-signed certificate to identify the server it's used on without either trusting it as a CA to sign other certificates, or firing up your own CA root.

For RedHat 6, you need to put the server certificate into /etc/pki/tls/certs/, in a file whose name is the hash number of the certificate, with .0 appended.

Start by putting the certificate into a temporary file, say /tmp/selfie.crt. Find the hash with openssl x509 -noout -hash -in /tmp/selfie.crt; let's assume for the sake of argument it's 1234abcd. Put the certificate into the trusted store for RH6 with cp /tmp/selfie.crt /etc/pki/tls/certs/1234abcd.0.

Thanks to Nick Burch's guide on the subject for refreshing my memory about the details.

Though now you can get certificates publicly signed for $9 for the year, if not less, it's beginning to be more trouble than it's worth to do this.


A CA certificate is a certificate. So adding your certificate in the directory should work. I just tried adding one of the certificate I trusted in firefox in /etc/ca-certificates/trust-source/anchors/, deleted it from my trusted cert in ff. I reloaded the page and it prompted me the cert wasn't trusted. I restarted firefox and now I can access the page.

I had to update-ca-trust to make it work with wget.

Mine is in .pem format, BEGIN/END file. What distro do you use ? Did you try restarting your tools ?