Differences

This shows you the differences between two versions of the page.

--- software:openssl:installca [2025/10/19 17:08] – rodolico
+++ software:openssl:installca [2025/10/19 18:38] (current) – rodolico
@@ Line 119: / Line 119: @@
 ==== Debian derivatives ====
-==== Manual ====
+<code bash>
-<code bash installDebianCA>
 sudo cp ca.pem /usr/local/share/ca-certificates/
 sudo update-ca-certificates
 </code>
-==== Automated ====
-  - Place PEM file in a server with access to other machines (like an ansible server)
+==== RedHat Based ====
-  - Requires root access on all target machines
+<code bash>
-  - Run the following script for each machine
+cp pemfile /etc/pki/ca-trust/source/anchors/
+update-ca-trust
+</code>
+===== Automated for Unix =====
+The following script is suitable for use from a centralized server which has root access via ssh to multiple Unix machines. This is written for something like an Ansible server.
+It will detect Debian and RedHat based Linux, and FreeBSD Unix.
+It will
+  - copy pem file to the /tmp directory on the target machine
+  - Attempt to detect the operating system type
+    - If successful, copy pem to appropriate directory and run udpate command
+    - Otherwise, give an error message
+Called as
 <code bash>
-./installDebianCA targetMachine /path/to/cert.pm
+./updateCALinux target /local/path/to/ca.pem
 </code>
-<code bash installDebianCA>
+<code bash updateCALinux>
 #!/bin/bash
@@ Line 157: / Line 170: @@
 # Copy the CA certificate to the target machine
 echo "Copying CA certificate to $TARGET_MACHINE..."
-scp "$CA_CERT_PATH" root@"$TARGET_MACHINE":/usr/local/share/ca-certificates/
+scp "$CA_CERT_PATH" root@"$TARGET_MACHINE":/tmp/ca.pem
-# Connect to the target machine and update CA certificates
+# Connect to the target machine and determine the OS
-echo "Updating CA certificates on $TARGET_MACHINE..."
 ssh root@"$TARGET_MACHINE" << 'EOF'
-    echo "Updating CA certificates..."
+    # Detect the OS
-    update-ca-certificates
+    if [ -f /etc/debian_version ]; then
+        echo "Detected Debian/Devuan system."
+        # Install the CA certificate
+        cp /tmp/ca.pem /usr/local/share/ca-certificates/
+        update-ca-certificates
+    elif [ -f /etc/redhat-release ]; then
+        echo "Detected Red Hat/CentOS system."
+        # Install the CA certificate
+        cp /tmp/ca.pem /etc/pki/ca-trust/source/anchors/
+        update-ca-trust
+    elif [ "$(uname)" = "FreeBSD" ]; then
+        echo "Detected FreeBSD system."
+        # Install the CA certificate
+        cp /tmp/ca.pem /usr/local/share/certs/ca.pem
+        c_rehash /usr/local/share/certs/
+    else
+        echo "Unsupported OS. Exiting."
+        exit 1
+    fi
     echo "CA certificates updated successfully."
 EOF
 echo "CA certificate installation completed on $TARGET_MACHINE."
+</code>
+===== MacOS =====
+MacOS is based on FreeBSD and could likely be detected by the generic script under the previous section, but I'll show manual here.
+==== GUI ====
+  - Open Finder, then navigate to Applications | Utilities | Keychain Access.
+  - Open File | Import Items
+  - Find your certificate and select Open
+  - Choose which keychain to import it to
+    - System - Available to all users
+    - login - Available only to the current user
+  - Locate the new Cert in the keychain and double click to open it
+  - Expand the **Trust** section
+  - Change //When using this certificate// to **Always Trust**
+  - Close and save, answering yes to all questions
+==== Command Line ====
+To install rapidly, simply open Terminal (Finder | Applications | Utilities | Terminal ) and issue the following command. You'll need to make sure you know where the PEM file is.
+<code sh>
+sudo security add-trust-anchor -d -r trustAsRoot -k /Library/Keychains/System.keychain /path/to/ca.pem
 </code>