Reputation: 46297
Trust self-signed certificate CentOS 7
I am generating a self-signed certificate for a development server but I need it to be trusted in order to use some of the tools that will be using the certificate.
This is what I have tried:
openssl req -newkey rsa:2048 -x509 -nodes -keyout /etc/ssl/private/server.key -new -out /etc/ssl/certs/server.crt -reqexts v3_req -extensions v3_req -config /vagrant/openssl.san.conf -sha256 -days 1825
ln --symbolic /etc/ssl/certs/server.crt /etc/pki/ca-trust/source/anchors/server.crt
update-ca-trust extract
I tried grepping the ca-bundle.crt file for the contents of server.crt after running the update-ca-trust command but it wasn't there.
I have also tried copying the file instead of making a symlink but that did not work either.
The certificate is created correctly and works for Apache but it produces the self-signed error:
[vagrant@localhost certs]$ curl --head https://localhost/ curl: (60) Issuer certificate is invalid. More details here: http://curl.haxx.se/docs/sslcerts.html
How can I trust my self-signed certificate on the command line on the server?
Upvotes: 12
Views: 12913
Answers (3)
Reputation: 26036
I solved this issue by updating the ca-bundle.crt file like so:
cp ~/my-self-signed-cert.crt /etc/pki/ca-trust/source/anchors/
cat /etc/pki/ca-trust/source/anchors/my-self-signed-cert.crt >> /etc/pki/tls/certs/ca-bundle.crt
curl https://<my_website.com>
It works after that.
Upvotes: 1
Reputation: 4498
Your problem is that update-ca-trust accepts only certificates marked as CA. There is a X.509 extension called Basic Constraints which is used to mark whether a certificate belongs to a CA or not. update-ca-trust silently skips those not marked as CA.
Check your certificate for the CA constraint:
openssl x509 -noout -text -in <cert_file> | grep "CA:TRUE"
The CA:TRUE can be set using the OpenSSL config.
Upvotes: 3
Reputation: 9
I simply issue the following command and fill my private DNS name in Common Name section.
openssl req -new -x509 -newkey rsa:2048 -nodes -keyout ca.key -days 365 -out ca.crt
After the following commands, the self-signed certificate will be trust.
cp ca.crt /etc/pki/ca-trust/source/anchors/
update-ca-trust extract
Upvotes: 1
Related Questions
- How to make browser to accept /trust Self Signed Cert
- How to create a trusted self signed SSL certificate
- Adding self-signed certificate as trusted in macOS doesn't work properly
- How to fix "TrustAnchor is not a CA certificate" for self-signed certificates? (Java)
- Unable To Trust Self-Signed SSL Certificate
- Self-signed certificates and HTTPS Error
- SSL Self Signed Certificate Error
- SSL - CN Validation with self signed certificates
- How to create a self signed certificate using SelfSSL
- self-signed certificate issue