Importing a root CA into Manjaro

So that I can browse to resources on my local network using HTTPS and avoid the annoying, “do you trust the site?” warning, I am importing the root certificate for my Certificate Authority (CA) to my local trusted certificates.

How you get your CA may well differ but the below process will be the same if you have a CA and want to add it to an Arch Linux system. My CA is contained within and managed from my FreeIPA server. Below I fetch it using wget from the FreeIPA server directly. Remember, this is a system-wide change so must be done as root or with the sudo command.

[home-pc ~]# mkdir freeipa-ca
[home-pc ~]# cd freeipa-ca
[home-pc freeipa-ca]# wget -O ca.crt freeipa.druids.local/ipa/config/ca.crt
--2020-09-09 18:31:11--  http://freeipa.druids.local/ipa/config/ca.crt
Resolving freeipa.druids.local (freeipa.druids.local)...
Connecting to freeipa.druids.local (freeipa.druids.local)||:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1651 (1.6K)
Saving to: ‘ca.crt’

ca.crt                           100%[=======================>]   1.61K  --.-KB/s    in 0s      

2020-09-09 18:31:11 (357 MB/s) - ‘ca.crt’ saved [1651/1651]

Once you have the root CA file, copy it to /etc/ca-certificates/trust-source/anchors. You will need to do this as root or precede the following command with sudo.

[home-pc freeipa-ca]# trust anchor --store ca.crt

If for some reason that did not work, you can also try doing it manually as shown below.

[home-pc freeipa-ca]# cp -v ca.crt /etc/ca-certificates/trust-source/anchors/freeipa.druids.local-ca.crt
'ca.crt' -> '/etc/ca-certificates/trust-source/anchors/freeipa.druids.local-ca.crt'

Then you need to run update-ca-trust. First, note the number of files in /etc/ssl/certs.

[home-pc ~]# ls -la /etc/ssl/certs/ | wc -l

If you run the below command…..

[home-pc freeipa-ca]# update-ca-trust

….and then re-run the previous command, you should see an increased number of files.

[home-pc freeipa-ca]# ls -la /etc/ssl/certs/ | wc -l

This shows the certificate has been added in an SSL-friendly way and the relevant links inserted. If you now visit any sites signed with this CA, you may need to clear your cache and/or restart your browser.

Be the first to comment

Leave a Reply