I've generated a self signed certificate using openssl – it's entirely self signed and not signed by a self signed CA. I've imported it successfully into the nss database for use by browsers. I now want to trust it globally, so that tools like wget, curl etc… don't nag.
As per instructions elsewhere, I copied my certificate to /etc/pki/ca-trust/source/anchors/ and then ran "update-ca-trust extract". Unfortunately this seems to only work on CA certificates and not on single certificates. How can I achieve what I'm after? I know I can generate a self signed CA and sign my certificate with that, but I have reasons for not doing this.
I generated my certificate like this:
openssl genrsa -out server.key 4096
openssl req -new -key server.key -out server.crt
openssl x509 -sha256 -req -extensions v3_req -days 3650 -in server.csr -signkey server.key -out server.crt -extfile /etc/pki/tls/openssl.cnf
Any help would be greatly appreciated!
Best Answer
You want to trust a single-self-signed certificate to identify the server it's used on without either trusting it as a CA to sign other certificates, or firing up your own CA root.
For RedHat 6, you need to put the server certificate into
/etc/pki/tls/certs/, in a file whose name is the hash number of the certificate, with.0appended.Start by putting the certificate into a temporary file, say
/tmp/selfie.crt. Find the hash withopenssl x509 -noout -hash -in /tmp/selfie.crt; let's assume for the sake of argument it's1234abcd. Put the certificate into the trusted store for RH6 withcp /tmp/selfie.crt /etc/pki/tls/certs/1234abcd.0.Thanks to Nick Burch's guide on the subject for refreshing my memory about the details.
Though now you can get certificates publicly signed for $9 for the year, if not less, it's beginning to be more trouble than it's worth to do this.