Hexa's Blog

How to add Certificate Authority (CA) in Fedora to support chain certificate?

09/09/2023 @ Saigon SSL

Step 1. Using chrome to extract certificates.

[1] Open certificate viewer in Google Chrome
[1] Open certificate viewer in Google Chrome
[2] Export certificate
[2] Export certificate

Only need to use extract CA’s certificate. Export it with file extension named .pem

Please take a note that, update-ca-trust determines certificate format using file header which locates in very first bytes in the binary file. Eventhough you save certificates with .crt , .cer, it’s still .pem.

To determine file format, you shoule use command file, for example $ file file_name.

To illustrate this point. I’ll give an example.

####### List all file, take a look at the file extension, .crt and .pem
$ ls -l
'Default Trust_DigiCert Global Root CA.crt'
'Default Trust_DigiCert Global Root CA.pem'

####### Determine file format with command named `file`
$ file *
Default Trust_DigiCert Global Root CA.crt: PEM certificate
Default Trust_DigiCert Global Root CA.pem: PEM certificate

Step 2. Copy certificate authority’s certificate to /etc/pki/ca-trust/source/anchors

Step 3. Update /etc/ssl/certs/ca-certificates.crt

$ sudo update-ca-trust extract

You can check this file /etc/ssl/certs/ca-certificates.crt to ensure that it is updated.

Step 4. Testing

This is an image before update-ca-trust

[3] Before update-ca-trust
[3] Before update-ca-trust

And, this is an image after update-ca-trust.

[3] After update-ca-trust
[3] After update-ca-trust

Good luck!