So that I can browse to resources on my local network using HTTPS and avoid the annoying, “do you trust the site?” warning, I am importing the root certificate for my Certificate Authority (CA) to my local trusted certificates.
How you get your CA may well differ but the below process will be the same if you have a CA and want to add it to an Arch Linux system. My CA is contained within and managed from my FreeIPA server. Below I fetch it using
wget from the FreeIPA server directly. Remember, this is a system-wide change so must be done as root or with the
[home-pc ~]# mkdir freeipa-ca [home-pc ~]# cd freeipa-ca [home-pc freeipa-ca]# wget -O ca.crt freeipa.druids.local/ipa/config/ca.crt --2020-09-09 18:31:11-- http://freeipa.druids.local/ipa/config/ca.crt Resolving freeipa.druids.local (freeipa.druids.local)... 192.168.222.240 Connecting to freeipa.druids.local (freeipa.druids.local)|192.168.222.240|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 1651 (1.6K) Saving to: ‘ca.crt’ ca.crt 100%[=======================>] 1.61K --.-KB/s in 0s 2020-09-09 18:31:11 (357 MB/s) - ‘ca.crt’ saved [1651/1651]
Once you have the root CA file, copy it to
/etc/ca-certificates/trust-source/anchors. You will need to do this as root or precede the following command with
[home-pc freeipa-ca]# trust anchor --store ca.crt
If for some reason that did not work, you can also try doing it manually as shown below.
[home-pc freeipa-ca]# cp -v ca.crt /etc/ca-certificates/trust-source/anchors/freeipa.druids.local-ca.crt 'ca.crt' -> '/etc/ca-certificates/trust-source/anchors/freeipa.druids.local-ca.crt'
Then you need to run
update-ca-trust. First, note the number of files in
[home-pc ~]# ls -la /etc/ssl/certs/ | wc -l 420
If you run the below command…..
[home-pc freeipa-ca]# update-ca-trust
….and then re-run the previous command, you should see an increased number of files.
[home-pc freeipa-ca]# ls -la /etc/ssl/certs/ | wc -l 423
This shows the certificate has been added in an SSL-friendly way and the relevant links inserted. If you now visit any sites signed with this CA, you may need to clear your cache and/or restart your browser.