How-to: Adding trusted root certificates to the SO (Win / MAC / Unix).
# Arch , Debian, Ubuntu
awk -v cmd='openssl x509 -noout -subject' ' /BEGIN/{close(cmd)};{print | cmd}' < /etc/ssl/certs/ca-certificates.crt
# Red-Hat, Fedora, CentOS
awk -v cmd='openssl x509 -noout -subject' ' /BEGIN/{close(cmd)};{print | cmd}' < /etc/ssl/certs/ca-bundle.crt
# Centos 5
awk -v cmd='openssl x509 -noout -subject' ' /BEGIN/{close(cmd)};{print | cmd}' < /etc/pki/tls/certs/ca-bundle.crtsudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain ~/new-root-certificate.crtsudo security delete-certificate -c "<name of existing certificate>"certutil -addstore -f "ROOT" new-root-certificate.crtcertutil -delstore "ROOT" serial-number-hexCopy your CA to dir /usr/local/share/ca-certificates/
sudo cp foo.crt /usr/local/share/ca-certificates/foo.crtUpdate the CA store:
sudo update-ca-certificatesRemove your CA (/usr/local/share/ca-certificates/)
sudo update-ca-certificates --freshCopy your CA to dir /etc/pki/trust/anchors/
sudo cp foo.crt /etc/pki/trust/anchors/foo.crtUpdate the CA store:
sudo update-ca-certificatesInstall the ca-certificates package:
yum install ca-certificatesEnable the dynamic CA configuration feature:
update-ca-trust force-enableAdd it as a new file to /etc/pki/ca-trust/source/anchors/:
cp foo.crt /etc/pki/ca-trust/source/anchors/
update-ca-trust extractAppend your trusted certificate to file /etc/pki/tls/certs/ca-bundle.crt
cat foo.crt >> /etc/pki/tls/certs/ca-bundle.crtSolaris-specific Solaris keeps the CA certs in /etc/certs/CA/.
Hashed links to the CA certs are in /etc/openssl/certs/ for fast lookup and access (usually by OpenSSL).
By convention, but not required, the filenames in /etc/certs/CA is the cert holder's CN with spaces replaced by underscores (_) and appended with a .pem file name extension. For example, file /etc/certs/CA/foo.pem contains the cert for CN VeriSign Class 4 Public Primary Certification Authority - G3.
Make or verify the cert is world-readable, if not already.
chmod a+r foo.pem; ls -l foo.pemCopy the cert to directory "/etc/certs/CA".
cp -p foo.pem /etc/certs/CA/Install he cert into "/etc/certs/ca-certificates.crt" and add a hashed link in "/etc/openssl/certs/".
/usr/sbin/svcadm restart /system/ca-certificatesVerify the CA cert service has restarted (and processed your new CA cert).
/usr/sbin/svcs /system/ca-certificatesIf the service hasn't started it could be the cert is corrupt or is a duplicate of an existing CA cert. Look for error messages in files "/var/svc/log/system-ca-certificates:default.log" and "/system/volatile/system-ca-certificates:default.log"
Firefox has its own certificate store.
Firefox Options -> Advanced -> Certificates
How can I trust CAcert's root certificate?: http://wiki.cacert.org/FAQ/ImportRootCert