If you're able to visit a website and it successfully validates but you're not able to curl
the website (i.e. you get certificate validation errors) then it is likely because your root certificate, or intermediate certificate, or both are not trusted in your system. Ubuntu provides an easy process for updating the root certificate stores using the update-ca-certificates
command and the /etc/ca-certificates.conf
for configuration.
Certificates should be installed under /usr/share/ca-certificates
. You should create a directory for your org to place all certs and intermediates.
mkdir /usr/share/ca-certificates/my.org/
Copy your CA cert into /usr/share/ca-certificates/my.org/
. You should also copy any intermediate certificates.
cp /etc/pki_jungle/certs/myca.crt /usr/share/ca-certificates/my.org/
Add your certificate to /etc/ca-certificates.conf
so it is included by update-ca-certificates
. You should also add any intermediates.
echo "my.org/myca.crt >> /etc/ca-certificates.conf
Run update-ca-certificates
so that your CA is installed in the system.
update-ca-certificates -f
For more information see man pages.
man update-ca-certificates
The easiest way to obtain intermediate certificates is to open Firefox and export the intermediates (and possibly even the root certificate if it's not trusted).
TODO... finish
For RHEL it's a lot easier....