A lot of tutorials and how-to guides can be found on the Internet regarding the creation of self-signed certificates, or even of your own certificate authority. While the tutorials are usually very good and pretty straightforward, for some reason they seem to leave out the instructions for actually deploying the CA certificates.
Although not all applications under GNU/Linux distributions respect this, the applications very often utilise the certificates located within the <em>/etc/ssl/certs</em> directory. The certificates themselves are usually installed through the ca-certificates package. In order to install the custom CA certificate and integrate it properly into the system so that most applications will be able to find it, several steps should be performed.
- Make sure you have installed the ca-certificates package.
Under Debian the package can be installed by issuing the following command:
$ apt-get install ca-certificates
Under Gentoo the package can be installed by issuing the following command:
$ emerge -v ca-certificates
Under Fedora the package can be installed by issuing the following command:
$ yum install ca-certificates
- Make sure you have certificates in PEM format, with the .crt extension. For the purpose of this example the certificate file will be named <em>Example Root.ca<em>
- Create a subdirectory within the <em>/usr/share/ca-certificates/</em> directory. For the purpose of this example the directory will be named <em>example.com</em>. Place the certificate authority certificate into this subdirectory.
- Append a new line listing the relative path (to the <em>/usr/share/ca-certificates/</em> directory) to the certificate you just copied to the file <em>/etc/ca-certificates.conf</em>. For the purpose of this example the line will be:
- Finally, run the <em>update-ca-certificates</em> command as root in order to have it regenerate the <em>/etc/ssl/certs</em> directory to reflect the new changes.
After these steps many utilities (like <em>wget</em>, for example) will be able to properly utilise the newly-installed certificate. Keep in mind that some applications do not use the certificates located withing the <em>/etc/ssl/certs/</em> directory (like Firefox, or Thunderbird), and in these cases you'll have to import the certificate manually into each one of them.