Importing a root CA into Manjaro

Here I am importing the root CA certificate from my FreeIPA server.

[home-pc ~]# mkdir freeipa-ca
[home-pc ~]# cd freeipa-ca
[home-pc freeipa-ca]# wget -O ca.crt freeipa.druids.local/ipa/config/ca.crt
--2020-09-09 18:31:11--  http://freeipa.druids.local/ipa/config/ca.crt
Resolving freeipa.druids.local (freeipa.druids.local)... 192.168.222.240
Connecting to freeipa.druids.local (freeipa.druids.local)|192.168.222.240|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1651 (1.6K)
Saving to: ‘ca.crt’

ca.crt                             100%[=======================>]   1.61K  --.-KB/s    in 0s      

2020-09-09 18:31:11 (357 MB/s) - ‘ca.crt’ saved [1651/1651]

Once you have the root CA file, copy it to /etc/ca-certificates/trust-source/anchors.

[home-pc freeipa-ca]# cp -v ca.crt /etc/ca-certificates/trust-source/anchors/freeipa.druids.local-ca.crt
'ca.crt' -> '/etc/ca-certificates/trust-source/anchors/freeipa.druids.local-ca.crt'

However that is not enough and you need to run update-ca-trust. First, note the number of files in /etc/ssl/certs.

[home-pc ~]# ls -la /etc/ssl/certs/ | wc -l
420

If you run the below command…..

[home-pc freeipa-ca]# update-ca-trust

….and then re-run the previous command, you should see an increased number of files.

[home-pc freeipa-ca]# ls -la /etc/ssl/certs/ | wc -l
423

This shows the certificate has been added in an SSL-friendly way and the relevant links inserted. If you now visit any sites signed with this CA, you may need to clear your cache and/or restart your browser.

Be the first to comment

Leave a Reply