
Adding additional SSL Certificate to default ca bundle | SSL Certificate Chain V


Sometimes you need to connect via SSL to a website or service and you will most probably get stuck
because of openssl/ssl issues. With curl for instance:

No cURL data returned for https://my.webserver.com:443 [0] SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Disabling the SSL verification checks is not a good idea, because possible of MITM attacks.

SSL Certificates usually follow a validation chain, see [2]. Therefore, you need to add the complete chain to your ca-bundle.crt in order to validate your certificate and also the trusted issuer (if not yet included). Most distributions come with a default certificate file which is used by various clients (curl, LDAP, Mail) to validate SSL/TLS connections. The first problem to find out: where exactly is your default ssl/certificate folder located? In Ubuntu it seems to be /etc/ssl, in CentOS and Scientific Linux it's /etc/pki/tls/certs. We will go through this step by step.

mkdir -p ~/.cert/cert.test/
cd ~/.cert/cert.test/
openssl s_client -showcerts -connect my.webserver.com:443

You should get the following error at the end of the output:

Verify return code: 21 (unable to verify the first certificate)

Now copy the: "-----BEGIN CERTIFICATE-----" to the "-----END CERTIFICATE-----" , and save it in your ~/.cert/cert.test/ directory as mycert.pem

Again, have a look at the openssl output, you should look for the following line:

Certificate chain
0 s:/O=my.webserver.com/CN=my.webserver.com/OU=Domain Control Validated
i:/C=US/ST=Arizona/L=Scottsdale/O=Issuer.com, Inc./OU=http://certificates.issuer.com/repository/CN=Issuer Certification Authority/serialNumber=04369233

This line tells you, that your certificate was issued by Issuer.com, so get the issuers certificate as well. Maybe your issuer already delivers a certificate in the pem format, so download it. Maybe, you also need to download the root certificate, "the issuers, issuer certificate". Again, please note: You need to add the whole chain. But you can test this incrementally, as the test (see below) will fail unless you imported all required certs. As soon as you got all certificates, you need to do the following (CentOS/SL6 needed yum install openssl-perl.x86_64 upfront, maybe there is a similar package in Ubuntu/Debian):

c_rehash ~/.cert/cert.test/

Your output should look like the following:

Doing ~/.cert/cert.test/
my_issuers_issuer.pem => 5a37af32.0
myissuer.pem => 1d97af50.0
mycert.pem => 219d9499.0

You may have a look at one of the hash files cat 219d9499.0

Test your new certs:

openssl s_client -CApath ~/.cert/cert.test/ -showcerts -connect my.webserver.com:443

Now, the output should look like the following, if everything is fine:

Verify return code: 0 (ok)

Now, copy the hash files to you "ca-cert" folder, e.g., /etc/pki/tls/certs.

sudo cp 5a37af32.0 /etc/pki/tls/certs

Then, go to the "ca-cert" folder and append *all* the hashes to your "ca-bundle.crt"

cat 5a37af32.0 >> /etc/pki/tls/certs/ca-bundle.crt

Viola, now you should be able to use CURL, git, svn or whatever using a secure SSL connection. Please double check the downloaded ceetificates (issuer, root, etc.) because you need to make sure you get the correct ones.

Please note, that some distributions overwrite the ca-bundle.crt file during updates, therefore, this is maybe not a long-term

I hope this helps.

Acks: This tutorial was inspired by the wonderful NixCraft [1] site.
[1] http://www.cyberciti.biz/faq/test-ssl-certificates-diagnosis-ssl-certificate/
[2] http://en.wikipedia.org/wiki/Secure_Sockets_Layer
  • 大小: 52.8 KB


    Taking the pain out of adding a horizontal scrollbar to a li

    标题“Taking the pain out of adding a horizontal scrollbar to a listbox”指向的就是这样一个问题:如何优雅地为列表框添加水平滚动条,以提升用户体验。这里我们将详细探讨这个主题,并提供一些实践技巧。 ...

    eac3to V3.17

    * fixed: adding subtitle caption count to filenames sometimes didn't work * fixed: subtitle caption counts in log sometimes had wrong track numbers * fixed: all non-supported MKV tracks shared the ...

    Steps to Writing Well with Additional Readings

    Jean Wyrick's rhetorically organized STEPS TO WRITING WELL WITH ADDITIONAL READINGS is known for its student-friendly tone and the clear way it presents the basics of essay writing in an easy-to-...

    A tutorial on adding columns to Explorer’s details view via

    标题 "A tutorial on adding columns to Explorer’s details view via" 是一篇关于如何通过列处理程序外壳扩展在Windows资源管理器(Explorer)的详细视图中添加自定义列的教程。这通常涉及到增强Windows操作系统中...

    Adding Password Management to Your Templates(cloudstack)

    Adding Password Management to Your Templates(cloudstack)

    Adding a search facility to your website

    在构建一个功能完善的网站时,添加搜索功能是至关重要的一步,它能让用户更方便地找到他们需要的信息。本文将深入探讨如何为您的网站添加搜索设施,以提高用户体验和网站的实用性。 首先,我们要理解搜索功能的基本...

    ICS delphixe10源码版

    ICS - Internet Component Suite - V8 - Delphi 7 to RAD Studio 10 Seattle ======================================================================= (Aka FPIETTE's Components) Revised: March 3, 2016 ...

    The Definitive Guide to AdonisJs_Building Node.js App with JavaScript-2018

    Finally, we’ll learn how to deploy the application to a virtual server, and install custom domains and SSL certificates. It is my hope that by the time you are finished reading this book, you’ll ...

    adding-white-noise-to-fixed-snr.zip_NOISE_adding noise_snr_white

    Adding white noise to a signal with fixed SNR



    VclZip pro v3.10.1

    This will cause files to not be decryptable by normal zip utilities thereby adding a bit of extra security. Bugs Fixed: IMPORTANT!!! Behavior of freeing the ArchiveStream (compressed stream) has ...

    Adding a Build Banner to ASP.NET Pages



    ### VTK Designer 2:添加组件到VTK Designer 2 #### 概述 VTK Designer 2 是一个直观的可视化工具,它允许用户通过拖拽算法节点来创建复杂的可视化管线。当前版本提供了198个不同的算法供用户选择并构建自己的可视...

    RedHat Certificate Engineer

    ### Red Hat Certificate Engineer – Chapter 2: Virtual Machines and Automated Installations #### CERTIFICATION OBJECTIVE 2.01: Configure KVM for Red Hat KVM (Kernel-based Virtual Machine) is an ...

    Adding Classifications to Web Services.doc

    "Adding Classifications to Web Services"这个过程涉及到将Web服务在SAP NetWeaver Developer Studio中进行分类,以符合SAP的分类系统。 分类(Classifications)的主要目的是让Web服务在服务注册表(Services ...

    信息安全_数据安全_Adding Social Intelligence to Smart Devices.pdf

    信息安全_数据安全_Adding Social Intelligence to Smart Devices 应急响应 内外威胁 工控安全 web安全 数据脱敏

    Clever Internet Suite (SRC) v9.1.0.0

    Using the Clever Internet Suite you can add instant SSL / TLS / SSH security to your Internet applications and implement many useful Internet-related features: Downloading, uploading and submitting ...

    安装Mysql-python报错Adding Python Information to the Windows Registry使用register.py

    安装Mysql-python时报错Adding Python Information to the Windows Registry 需要使用register.py cmd python register.py


    America’s wireless industry is ready to invest $275 billion to deploy next-generation 5G networks — creating 3 million new jobs and adding $500 billion to our economy, according to Accenture.

Global site tag (gtag.js) - Google Analytics