Howto – Install self-signed CA Root certificate on Linux

Abstract:

If you are running your own x509 certificate authority with a self signed root certificate, and want to use this to sign your own server certificates for usage on Linux servers, then this article is for you.

This article will explain to you how to install the root certificate of your self signed certificate authority on your Linux server.

Prerequisites

(not required for java / Active Directory Plugin)

If not yet installed, install wget or curl you will use these tools to download the root certificate.

$ sudo apt-get install curl
$ sudo apt-get install wget 

Global per-server installation

Install the ca-certificates package, this downloads the root certificates of all public certificate authorities, so these will be trusted. It also creates a certificate store on your Linux server to which we can add our own, self signed, root certificate.

$ sudo apt-get install ca-certificates  

If you need the CA certificate in Java too, you will probably want to install the hook scripts for updating the trusted CA certificates for the JRE store:

$ sudo apt-get install ca-certificates-java 

Create a separate folder to store our on ca certificate

$ sudo mkdir /usr/share/ca-certificates/mydomain.com 

Download your self signed CA Root certificate to your server-specific directory (in this case from Microsoft Certificate Services)

NOTE: replace ‘myusername’ with your AD username, and enter your AD password when asked for.

$ sudo wget -nv --no-check-certificate --http-user myusername --ask-password 'https://certificates.mydomain.com/certsrv/certnew.cer?ReqID=CACert&Renewal=0&Mode=inst&Enc=b64' -O /usr/share/ca-certificates/mydomain.com/ myca.mydomain.com.crt 

Alternatively using curl:

$ sudo curl -k --ntlm -u myusername 'https://certificates.mydomain.com/certsrv/certnew.cer?ReqID=CACert&Renewal=0&Mode=inst&Enc=b64' -o /usr/share/ca-certificates/mydomain.com/myca.mydomain.com.crt  

Now reconfigure the ca-certificates package to trust the new certificate.

$ sudo dpkg-reconfigure ca-certificates

#-- Trust new certicates from certicate authorities? yes
#-- select  mydomain.com/ myca.mydomain.com.crt  

Or automated:

$ sed -e '/[!#[:space:]]*mydomain\.com\/myca\.mydomain\.com\.crt/d' -i /etc/ca-certificates.conf 

$ echo 'mydomain.com/myca.mydomain.com.crt' >> /etc/ca-certificates.conf 

$ dpkg-reconfigure -f noninteractive ca-certificates 

Java Note

If it’s not working for Java applications, you can try to restart the Java application or install the CA certificate manually:

$ ( cd ${JAVA_HOME}/jre/lib/security/ && sudo keytool -keystore cacerts -storepass changeit -alias 'Company:myca.mydomain.com.pem' -importcert -file /etc/ssl/certs/myca.mydomain.com.pem -noprompt ) 

You can check if the certificate is trusted now as follows:

$ ( cd ${JAVA_HOME}/jre/lib/security && keytool -list -keystore cacerts -storepass changeit ) | grep -i myca 

Python Notes

Python has yet another special case. You might get following error:

   <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)>

In this case try following steps:

$ sudo update-ca-certificates
$ disable the myca certificate 

And enable it again.

User-Specific installation

Create a directory to store the certificates:

$ mkdir -p ~/.ssl/certs 

Download the self signed CA Root certificate to your user-specific directory:

NOTE: replace ‘myusername’ with your AD username, and enter your AD password when asked for.

$ curl -k --ntlm -u myusername 'https://certificates.mydomain.com/certsrv/certnew.cer?ReqID=CACert&Renewal=0&Mode=inst&Enc=b64' -o ~/.ssl/certs/myca.mydomain.com.crt 

Create symbolic link to the hash file for compatibility reasons :

$ ln -s ~/.ssl/certs/myca.mydomain.com.cer $(openssl x509 -in ~/.ssl/certs/
myca.mydomain.com.crt -hash -noout).0 ) 

Once this has been done we need to set the correct permissions on the folder:

$ chmod -R go-rwx ~/.ssl
$ chmod 0400 ~/.ssl/certs/myca.mydomain.com.cer
$ chmod 0400 ~/.ssl/certs/*.0