I have created a custom root certificate authority for an internal network, example.com. Ideally, I would like to be able to deploy the CA certificate associated with this certificate authority to my Linux clients (running Ubuntu 9.04 and CentOS 5.3), such that all of the applications automatically recognize the certificate authority (i.e. I do not want to have to configure Firefox, Thunderbird, etc manually to trust this certificate authority).
I have attempted this on Ubuntu by copying the PEM-encoded CA certificate to /etc/ssl/certs/ and /usr/share/ca-certificates/, as well as by modifying /etc/ca-certificates.conf and rerunning update-ca-certificates, however applications do not seem to recognize that I have added another trusted CA to the system.
Therefore, is it possible to add a CA certificate once to a system, or is it necessary to manually add the CA to all of the possible applications that will attempt to make SSL connections to hosts signed by this CA in my network? If it is possible to add a CA certificate once to the system, where does it need to go?
Thanks.
Best Answer
In short: You need to update every application by itself
Not even Firefox and Thunderbird share certificates.
Unfortunately Linux has no central place to store/manage SSL-certificates. Windows does have such a place but in the end you end up with the same problem (Firefox/Thunderbird won't use the Windows provided API to determine validity of an SSL cert)
I'd go with something like puppet/cfengine on each of the hosts and place the needed root certificates on all the clients with the mechanisms those tools provide.