Red Hat - Accept Self-Signed Certificates

Question

Is there a way I can get a Red Hat Linux box to trust a self-signed certificate?

e.g. wget https://example.com - gives an error that certificate is untrusted as 'https://example.com' has a self-signed certificate; with wget '--no-check-certificate' can over-ride checking of the certificate. But I would like to get the Red Hat to implicitly trust the self-signed certificate - is there a way to do this?

Thanks.

Answer 1

That's not a coding/programming question per se, but I figure this answer might be equally valid when writing software, so I'll post it anyway.

Trusting self-signed certificates by default in a computer system you're using or software that you're writing is a terrible idea. If you accept all certificates it would make a man in the middle attack trivial. All the attacker needs to do is to present a self-signed certificate to you and decrypt and re-encrypt the traffic.

Usually for such situations you need to create your own certificate authority, sign your certificates with it, and add it to /etc/ca-certificates.conf or whatever Red Hat uses.

If you were writing software of your own, I'd also keep track of the old certificates that a given host provided, so that I'm warned if it had changed because I have my doubts that fully trusting global CAs is wise.

I'd say the following are best practice:

1. For services of your own, or for anything that needs to signify that services are provided by a given entity you trust, create a CA and use it for the certificates.
2. For anything else, establish a secure connection once keeping the security token (SSL certificate fingerprint, SSH/GPG fingerprint, etc.), and be wary if it has changed. If you are paranoid, it the first use make sure that the fingerprint is OK by connecting from various places or using it for a few days or by another channel (not really important because the chance of a MITM during the first connect has a very low probability - but still not negligable).