Linux升级ca,Linux update CA certificates

最新推荐文章于 2024-10-10 11:52:28 发布

数据宝宝

最新推荐文章于 2024-10-10 11:52:28 发布

阅读量4.9k

点赞数

文章标签： Linux升级ca

本文介绍了如何在Ubuntu和CentOS 6及7系统中更新CA证书。在Ubuntu上使用`update-ca-certificates`命令，而在CentOS 6中安装`ca-certificates`并运行`update-ca-trust`。对于CentOS 7，提供了两种方法，包括使用`yum install ca-certificates`和手动将PEM文件复制到指定目录后再执行`update-ca-trust extract`。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

最後更新: 2017-06-01

Ubuntu

Centos 6

Folder

Centos 7

Ubuntu

update-ca-certificates

Centos 6

update-ca-trust - manage consolidated and dynamic configuration of CA certificates and associated trust

for new applications that read the consolidated configuration files found in the /etc/pki/ca-trust/extracted directory or

that load the PKCS#11 module p11-kit-trust.so

# Install

yum install ca-certificates

# 獲得: update-ca-trust

# /usr/share/pki/ca-trust-source/

# /etc/pki/ca-trust/source/

Usage

# To add a certificate in the simple PEM or DER file formats to the list of CAs trusted on the system:

1. add it as a new pem file to directory

cp my.pem /etc/pki/ca-trust/source/anchors

update-ca-trust

3. 在 /etc/pki/ca-trust/extracted/ 建立 file

update-ca-trust extract

Files(Output File)

"update-ca-trust" 就是更新它們

/etc/pki/tls/certs/ca-bundle.crt # simple BEGIN/END CERTIFICATE file format

# COMODO RSA Certification Authority

-----BEGIN CERTIFICATE-----

MIIF2DCCA8CgAwIBAgIQTKr5yttjb+Af907Y...

...

-----END CERTIFICATE-----

# ACCVRAIZ1

-----BEGIN CERTIFICATE-----

MIIH0zCCBbugAwIBAgIIXsO3pkN/pOAwDQYJ...

...

/etc/pki/tls/certs/ca-bundle.trust.crt # extended BEGIN/END TRUSTED CERTIFICATE file format

/etc/pki/ca-trust/extracted # Created using the "update-ca-trust extract"

ls /etc/pki/ca-trust/extracted

java openssl pem README

Folder

Simple trust anchors subdirectory:

/usr/share/pki/ca-trust-source/anchors/

/etc/pki/ca-trust/source/anchors/ # '/etc' override any other default configuration

Extended format directory:

/usr/share/pki/ca-trust-source/

/etc/pki/ca-trust/source/

/etc/pki/ca-trust/extracted/

Contains consolidated and automatically generated configuration files for consumption by applications,

which are created using the "update-ca-trust extract" command.

If your certificate is in the extended "BEGIN TRUSTED" file format

(which may contain distrust/blacklist trust flags, or trust flags for usages other than TLS) then:

add it as a new file to directory /etc/pki/ca-trust/source/anchors/

Centos 7 add trusted certificate

方法 1

yum install ca-certificates

update-ca-trust

方法 2

當"方法 1" 唔 work 時, 就要用以下方案

To add a certificate in the simple PEM or DER file formats to the list of CAs trusted on the system:

cp foo.crt /etc/pki/ca-trust/source/anchors/

cp foo.ca-bundle.crt /etc/pki/ca-trust/source/anchors/

update-ca-trust extract

Remark: 獲得 CA Cert. 的方法

Open a webpage that uses the CA with Firefox

Click the lock-icon in the addressbar -> show information -> show certificate

The certificate viewer will open

click details and choose the certificate of the certificate-chain, you want to import to CentOS

click "Export..." and save it as .crt file