Ubuntu – How to install a PFX certificate file into Ubuntu so Curl trusts it

curlssl-certificateUbuntuubuntu-18.04

I'm running Ubuntu 18.04 on Windows Subsystem for Linux 2. I am making a curl request to a web service running on the Windows side using a self-signed certificate. I receive this error:

curl: (60) SSL certificate problem: unable to get local issuer certificate

I'd like to add the cert to the local store. I have a .pfx file available. I know I can use -k but I want to use other command line tools against this server.

How do I do this?

My own trials

openssl s_client -showcerts -servername server -connect server:443 > foo.pem
openssl x509 -in foo.pem -inform PEM -out foo.crt
sudo cp foo.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates

This looks plausible but didn't work, curl still has the same complaint.

I also tried to use a DER version.

sudo rm /usr/local/share/ca-certificates/windows_cert.crt
openssl x509 -in windows_cert.pem -inform PEM -out windows_cert_der.crt -outform DER
sudo cp windows_cert_der.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates

Give up

Don't worry, I started following some of the replies here.

https://askubuntu.com/questions/73287/how-do-i-install-a-root-certificate

But got nowhere, its obviously a very hard problem in the world of computing.

I've found that a few months back they added a switch to the command line tool I need to use that ignores certificate problems.

Best Answer

You can use the openssl command to convert nearly any certificate format to another. PFX is another name for a pkcs12 container.

If you can extract the cert in PEM format curl should be able to use it.

openssl pkcs12 -in cert.pfx -clcerts -out cert.pem

This may ask you for a password which will be the one used to secure the PKCS12 file

You want to use the output cert.pem file with the --cacert curl command line option not -k

Related Solutions

SSL Error – Unable to Read Server Certificate from File

Is it possible that the lines are ^M-terminated? This is a potential issue when moving files from Windows to UNIX systems. One easy way to check is to use vi in "show me the binary" mode, with vi -b /etc/apache2/domain.ssl/domain.ssl.crt/domain.com.crt.

If each line ends with a control-M, like this

you've got a file in Windows line-terminated format, and apache doesn't love those.

Your options include moving the file over again, taking more care; or using the dos2unix command to strip those out; you can also remove them inside vi, if you're careful.

Edit: thanks to @dave_thompson_085, who points out that this answer no longer applies in 2019. That is, Apache/OpenSSL are now tolerant of ^M-terminated lines, so they don't cause problems. That said, other formatting errors, several different examples of which appear in the comments, can still cause problems; check carefully for these if the certificate has been moved across systems.

How to debug certificate chains with OpenSSL

Be sure to include all the intermediate certificates and see that they are up to date. If test.crt is in fact a file containing only /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root, this is the correct approach. You can include the root as well, and most clients will accept such chains, but a few will choke.

In general it's best practice to include all the certificates from yours to the last one before the root, in case a client doesn't have the last intermediate.

It's also possible that test.crt contains things other than the correct chain. OpenSSL doesn't do partial chain validation by default (in older versions, it doesn't do it at all). When operating in this mode it doesn't care what is in /etc/ssl/certs.

Alternatively, you may be presenting an expired intermediary certificate. CAs often recertify their intermediates with the same key; if they do that, just download the updated intermediate CA certificate and replace the expired one in your chain.

Finally, with openssl s_client, you need to specify what it is validating against. For example, use the option -CApath /etc/ssl/certs or -CAfile your_ca.crt. For the first option use your system's trust store, and for the second option specify the root CA certificate.