All of the well-known graphical web browsers ship with a collection of known and trusted Certificate Authority (CA) certificates,so when you visit a site with a certificate signed by one of those CA certificates, the browser also trusts the site. Otherwise, the browser steps through a series of warnings and options to add an exception after encouraging you toverifythe certificate. There are also options to import additional CA certificates, such as those documented for Firefox.
Using CA certificates with command line utilities
CA certificates can be made available at the command line as well. A package included with many distributions, including Red Hat Enterprise Linux and Fedora, is called ca-certificates
. This package is self-described ascontaining"the set of CA certificates chosen by the Mozilla Foundation for use with the Internet PKI."This package includes the same well-known CA certificates found in Firefox. It can be used by any CLI application that looks directly at the /etc/pki/ca-trust/extracted
directory, along with the CLI applications thatloadone of the PKCS#11 trust modules.
Command-line utilities such as curl
and wget
can use these CA certificates to validate server certificates. Many tools provided with Red Hat Enterprise Linux also use these certificates, including for interactions with Red Hat support (redhat-support-tool
), Red Hat OpenShift clusters (oc
), and Red Hat Satellite 6 servers (hammer
). Many other interactions with server API interfaces also use SSL/TLS and should validate the certificates offered.
With theca-certificates
package installed, I can use curl
to view or download URL content from a site using a certificate signed by a well-known CA without error:
$ curl https://access.redhat.com -o /tmp/sample% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 103k 0 103k 0 0 339k 0 --:--:-- --:--:-- --:--:-- 337k
If I try to access an internal site that has a self-signed certificate (or a certificate signed by a CA that is not included with the ca-certificates
package)I get a message saying the connection was refused because thecertificate is not trusted:
$ curl https://somehost.internal-FQDN/curl: (60) SSL certificate problem: self-signed certificate in certificate chain More details here: https://curl.haxx.se/docs/sslcerts.htmlcurl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above.
Some documentation encourages a simple insecure connection for these internal and trusted sites. Curl can connect insecurely with the -k
option:
$ curl -k https://somehost.internal-FQDN/
Or, if I have verified and downloaded my internal CA certificate, I can tell curl
to verify the site with that certificate:
$ curl --cacert /path/to/cert-file https://somehost.internal-FQDN/
Other programs are similar. With the OpenShift and Origintool for managing applications(oc
),a connection to a default installed cluster may not recognize the generated, self-signed CA certificate that the cluster uses to sign other internal certificates. This issue includes a connection to CodeReady Containers:
$ oc login -u developer -p developer https://api.crc.testing:6443The server uses a certificate signed by an unknown authority.You can bypass the certificate check, but any data you send to the server could be intercepted by others. Use insecure connections? (y/n):
If you have a copy of the certificates, specify the client certificate with the --client-certificate=""
option, or the CA certificate with the --certificate-authority=""
option, when using the oc
command.
Red Hat Satellite server and the CLI tool hammer
worksimilarly,but the CA certificate can be specified at the command line or in the ~/.hammer/cli_config.yml
file. The hammer
command also has an option to import the Satellite CA certificate directly into the user's .hammer
configuration directory:
$ hammer --fetch-ca-cert https://satellite.example.comCA certificate for https://satellite.example.com was stored to ..output omitted...
This command only makes the certificate available for the single user and would have to be repeated for each user on the system. To make the certificate available to all users on a system, the output of the hammer command even suggests using ca-certificates
.
Updatingca-certificates
to validate sites with an internal CA certificate
Instead of manually specifying the CA certificate with each command, we can add our internal CA certificates to the CA trust provided by the ca-certificates
package.This package provides a directory structure in /etc/pki/
to manage the certificates and a command update-ca-trust
to manage the "consolidated and dynamic configuration of CA certificates and associated trust:"
$ ls /etc/pki/ca-trust/ ca-legacy.conf extracted README source$ ls /etc/pki/ca-trust/source anchors blacklist ca-bundle.legacy.crt README
To add a certificate, download it, place it into the /etc/pki/ca-trust/source/anchors
directory, and then run the command update-ca-trust
. You will need to be root for thesetwo tasks:
$ sudo curl http://satellite.example.com/pub/katello-server-ca.crt -o /etc/pki/ca-trust/source/anchors/satellite-ca.crt$ sudo update-ca-trust
Once the update command is issued, the certificate is made available through the /etc/pki/ca-trust/extracted
tree:
$ ls /etc/pki/ca-trust/extracted edk2 java openssl pem README
Applications that look to this directory to verify certificates can use any of the formats provided. The update command handlesthe copies, conversions, and consolidation for the different formats. The man page for update-ca-trust
has more information about the directory structure, formats, and ways that certificates are accessed, but a quick way to list all of the certificate subjects in the bundle is with the following awk
and openssl
commands:
$ awk -v cmd='openssl x509 -noout -subject' '/BEGIN/{close(cmd)};{print | cmd}' < /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
Now that I have added the CA certificate for my Satellite Server,I can use curl
without any additional certificate options to access the API:
$ curl --request GET --user admin https://satellite.example.com/katello/api/organizations Enter host password for user 'admin': { "total": 1, "subtotal": 1,...output omitted...
The same is true for oc
commands, hammer
commands, and many other command-line applications. These utilities can use the certificates managed by ca-trust
to validate your connections.
[Want to learn more about security? Check out the IT security and compliance checklist.]
Topics: Linux Security