{"id":3903,"date":"2024-02-02T21:08:24","date_gmt":"2024-02-03T02:08:24","guid":{"rendered":"https:\/\/dft.wiki\/?p=3903"},"modified":"2026-06-08T16:26:38","modified_gmt":"2026-06-08T20:26:38","slug":"issuing-and-managing-certificate-authorities-on-linux","status":"publish","type":"post","link":"https:\/\/dft.wiki\/?p=3903","title":{"rendered":"Issuing and Managing Certificate Authorities on Linux"},"content":{"rendered":"<p>SSL\/TLS certificates for websites and servers are just one component of a Chain of Trust, a fundamental concept to ensure the security and data integrity of online communications. It involves various elements, including certificate authorities, public and private keys, and digital signatures, to establish and verify the legitimacy of secure connections.<\/p>\n<p>All certificates are backed by a Certificate Authority and optional intermediary certificates as well.<\/p>\n<p>Creating a self-signed certificate guarantees encryption of the communication, but it does not protect against MITM (Man-In-The-Middle) attacks.<\/p>\n<p>By generating a Certificate Authority certificate and key, then installing the CA cert on all devices in a network, the Chain of Trust is completed.<\/p>\n<hr \/>\n<p><strong>LOCAL CHAIN OF TRUST<\/strong><\/p>\n<pre>openssl genpkey -algorithm RSA -out local-ca.key\r\nchmod 400 local-ca.key\r\nopenssl req -new -x509 -key local-ca.key -out local-ca.crt<\/pre>\n<p>Create a CSR (Certificate Signing Request) for a FQDN or Hostname (e.g. <strong>domain.local<\/strong>):<\/p>\n<pre>openssl req -new -key local-ca.key -out domain.local.csr<\/pre>\n<p>Create the signed certificate for the CSR with the CA key:<\/p>\n<pre>openssl x509 -req -in domain.local.csr -signkey local-ca.key -out domain.local.crt<\/pre>\n<p>For the FQDN \/ Hostname certificate to be trusted, the CA certificate must be installed on all hosts in the local network.<\/p>\n<p>Add the CA certificate on <strong>Ubuntu\/Debian<\/strong>:<\/p>\n<pre>cat \/etc\/ssl\/certs\/ca-certificates.crt | grep BEGIN | wc -l\r\nsudo mv local-ca.crt \/usr\/local\/share\/ca-certificates\/\r\nsudo update-ca-certificates\r\ncat \/etc\/ssl\/certs\/ca-certificates.crt | grep BEGIN | wc -l<\/pre>\n<p>Add the CA certificate on <strong>RHEL\/CentOS<\/strong>:<\/p>\n<pre>cat \/etc\/ssl\/certs\/ca-certificates.crt | grep BEGIN | wc -l\r\nsudo mv local-ca.crt \/etc\/pki\/ca-trust\/source\/anchors\/\r\nsudo update-ca-trust\r\ncat \/etc\/ssl\/certs\/ca-certificates.crt | grep BEGIN | wc -l<\/pre>\n<p><strong>Note:<\/strong> The first and last commands count how many CA certificates are already installed. The number should increase after the update.<\/p>\n<p>The <strong>curl<\/strong> command and other applications should now trust certificates issued by that CA.<\/p>\n<hr \/>\n<p><strong>CHAIN OF TRUST FOR PURCHASED CERTIFICATE<\/strong><\/p>\n<p>Some certificate vendors require that the full chain of trust be provided to work correctly:<\/p>\n<ul>\n<li>Purchased Certificate\n<ul>\n<li><span style=\"color: #777777; font-size: 1rem;\"><code>domain.com.crt<\/code><\/span><\/li>\n<li><code>domain.com.key<\/code><\/li>\n<\/ul>\n<\/li>\n<li>CA Certificate\n<ul>\n<li><code>CA.crt<\/code><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>Virtual Host configuration on Apache (or any other web server):<\/p>\n<pre>SSLCertificateFile \/etc\/ssl\/certs\/domain.com.crt\r\nSSLCertificateKeyFile \/etc\/ssl\/private\/domain.com.key<\/pre>\n<p>Add the CA certificate on <strong>Ubuntu\/Debian<\/strong>:<\/p>\n<pre>sudo mv CA.crt \/usr\/local\/share\/ca-certificates\/\r\nsudo update-ca-certificates<\/pre>\n<p>Add the CA certificate on <strong>RHEL\/CentOS<\/strong>:<\/p>\n<pre>sudo mv CA.crt \/etc\/pki\/ca-trust\/source\/anchors\/\r\nsudo update-ca-trust<\/pre>\n<hr \/>\n<p><strong>CHAIN OF TRUST WITH BUNDLE CERTIFICATE<\/strong><\/p>\n<p>To serve the same domain over the internet without issues for remote clients that do not have the CA certificate installed:<\/p>\n<pre>SSLCertificateFile \/etc\/ssl\/certs\/domain.com.crt\r\nSSLCertificateKeyFile \/etc\/ssl\/private\/domain.com.key\r\n<strong>SSLCACertificateFile \/etc\/ssl\/ca\/CA.crt<\/strong><\/pre>\n<p>Optionally, both <code>.crt<\/code> files can be combined into one:<\/p>\n<pre>cat \/etc\/ssl\/certs\/domain.com.crt > \/etc\/ssl\/certs\/<strong>bundle_<\/strong>domain.com.crt\r\ncat \/etc\/ssl\/ca\/CA.crt >> \/etc\/ssl\/certs\/<strong>bundle<\/strong>_domain.com.crt<\/pre>\n<p>This bundle certificate provides clients with everything they need to verify the purchased certificate.<\/p>\n<hr \/>\n<p><strong>LAZY LOCALHOST SELF-SIGNED<\/strong><\/p>\n<pre>sudo apt install libnss3-tools mkcert -y\r\nsudo mkcert --install<\/pre>\n<hr \/>\n<p><strong>BONUS<\/strong><\/p>\n<p>On Debian-based systems, this command will wipe and re-add all CA certificates:<\/p>\n<pre>sudo update-ca-certificates --fresh<\/pre>\n<p>If needed, clear all cached certificates:<\/p>\n<pre>sudo rm -rf \/etc\/ssl\/certs\/*\r\nsudo update-ca-certificates<\/pre>\n<hr \/>\n<p><strong>SEE ALSO<\/strong><\/p>\n<p>A post about <strong>LIGHTtpd with Self-signed Cert<\/strong>  [<a href=\"https:\/\/dft.wiki\/?p=3392\">Link<\/a>].<\/p>\n","protected":false},"excerpt":{"rendered":"<p>SSL\/TLS certificates for websites and servers are just one component of a Chain of Trust, [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4,7],"tags":[],"class_list":["post-3903","post","type-post","status-publish","format-standard","hentry","category-linux","category-web"],"_links":{"self":[{"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/posts\/3903","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/dft.wiki\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3903"}],"version-history":[{"count":6,"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/posts\/3903\/revisions"}],"predecessor-version":[{"id":5634,"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/posts\/3903\/revisions\/5634"}],"wp:attachment":[{"href":"https:\/\/dft.wiki\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3903"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/dft.wiki\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3903"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/dft.wiki\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3903"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}