Differences

This shows you the differences between two versions of the page.

--- software:openssl:installca [2025/10/19 16:54] – rodolico
+++ software:openssl:installca [2025/10/19 18:38] (current) – rodolico
@@ Line 111: / Line 111: @@
 </code>
+===== Linux =====
+Each type of Linux distribution can have a different way of importing a CA, but the procedure is basically the same.
+  - Copy PEM to a specified directory
+  - run a command to update the list of CA's
+==== Debian derivatives ====
+<code bash>
+sudo cp ca.pem /usr/local/share/ca-certificates/
+sudo update-ca-certificates
+</code>
+==== RedHat Based ====
+<code bash>
+cp pemfile /etc/pki/ca-trust/source/anchors/
+update-ca-trust
+</code>
+===== Automated for Unix =====
+The following script is suitable for use from a centralized server which has root access via ssh to multiple Unix machines. This is written for something like an Ansible server.
+It will detect Debian and RedHat based Linux, and FreeBSD Unix.
+It will
+  - copy pem file to the /tmp directory on the target machine
+  - Attempt to detect the operating system type
+    - If successful, copy pem to appropriate directory and run udpate command
+    - Otherwise, give an error message
+Called as
+<code bash>
+./updateCALinux target /local/path/to/ca.pem
+</code>
+<code bash updateCALinux>
+#!/bin/bash
+# Check if the required parameters are provided
+if [ $# -ne 2 ]; then
+    echo "Usage: $0 <target_machine> <path_to_ca_cert>"
+    echo "Example: $0 target_machine /path/to/ca.pem"
+    exit 1
+fi
+TARGET_MACHINE=$1
+CA_CERT_PATH=$2
+# Check if the CA certificate file exists locally
+if [ ! -f "$CA_CERT_PATH" ]; then
+    echo "CA certificate not found at $CA_CERT_PATH"
+    exit 1
+fi
+# Copy the CA certificate to the target machine
+echo "Copying CA certificate to $TARGET_MACHINE..."
+scp "$CA_CERT_PATH" root@"$TARGET_MACHINE":/tmp/ca.pem
+# Connect to the target machine and determine the OS
+ssh root@"$TARGET_MACHINE" << 'EOF'
+    # Detect the OS
+    if [ -f /etc/debian_version ]; then
+        echo "Detected Debian/Devuan system."
+        # Install the CA certificate
+        cp /tmp/ca.pem /usr/local/share/ca-certificates/
+        update-ca-certificates
+    elif [ -f /etc/redhat-release ]; then
+        echo "Detected Red Hat/CentOS system."
+        # Install the CA certificate
+        cp /tmp/ca.pem /etc/pki/ca-trust/source/anchors/
+        update-ca-trust
+    elif [ "$(uname)" = "FreeBSD" ]; then
+        echo "Detected FreeBSD system."
+        # Install the CA certificate
+        cp /tmp/ca.pem /usr/local/share/certs/ca.pem
+        c_rehash /usr/local/share/certs/
+    else
+        echo "Unsupported OS. Exiting."
+        exit 1
+    fi
+    echo "CA certificates updated successfully."
+EOF
+echo "CA certificate installation completed on $TARGET_MACHINE."
+</code>
+===== MacOS =====
+MacOS is based on FreeBSD and could likely be detected by the generic script under the previous section, but I'll show manual here.
+==== GUI ====
+  - Open Finder, then navigate to Applications | Utilities | Keychain Access.
+  - Open File | Import Items
+  - Find your certificate and select Open
+  - Choose which keychain to import it to
+    - System - Available to all users
+    - login - Available only to the current user
+  - Locate the new Cert in the keychain and double click to open it
+  - Expand the **Trust** section
+  - Change //When using this certificate// to **Always Trust**
+  - Close and save, answering yes to all questions
+==== Command Line ====
+To install rapidly, simply open Terminal (Finder | Applications | Utilities | Terminal ) and issue the following command. You'll need to make sure you know where the PEM file is.
+<code sh>
+sudo security add-trust-anchor -d -r trustAsRoot -k /Library/Keychains/System.keychain /path/to/ca.pem
+</code>