A service of Daily Data, Inc.
Contact Form

Unix Server Tech Knowledge Base

User Tools

Site Tools

Trace: Install CA on workstations
software:openssl:installca

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
software:openssl:installca [2025/10/19 17:12] rodolicosoftware:openssl:installca [2025/10/19 18:38] (current) rodolico
Line 119: Line 119:
 ==== Debian derivatives ==== ==== Debian derivatives ====
  
-=== Manual === +<code bash>
- +
-<code bash installDebianCA>+
 sudo cp ca.pem /usr/local/share/ca-certificates/ sudo cp ca.pem /usr/local/share/ca-certificates/
 sudo update-ca-certificates sudo update-ca-certificates
 </code> </code>
  
-=== Automated === 
  
-  Place PEM file in a server with access to other machines (like an ansible server+==== RedHat Based ==== 
-  - Requires root access on all target machines +<code bash> 
-  - Run the following script for each machine+cp pemfile /etc/pki/ca-trust/source/anchors/ 
 +update-ca-trust 
 +</code> 
 + 
 + 
 +===== Automated for Unix ===== 
 + 
 +The following script is suitable for use from centralized server which has root access via ssh to multiple Unix machines. This is written for something like an Ansible server.
  
 +It will detect Debian and RedHat based Linux, and FreeBSD Unix.
 +
 +It will
 +  - copy pem file to the /tmp directory on the target machine
 +  - Attempt to detect the operating system type
 +    - If successful, copy pem to appropriate directory and run udpate command
 +    - Otherwise, give an error message
 +
 +Called as
 <code bash> <code bash>
-./installDebianCA targetMachine /path/to/cert.pm+./updateCALinux target /local/path/to/ca.pem
 </code> </code>
  
-<code bash installDebianCA>+<code bash updateCALinux>
 #!/bin/bash #!/bin/bash
  
Line 157: Line 170:
 # Copy the CA certificate to the target machine # Copy the CA certificate to the target machine
 echo "Copying CA certificate to $TARGET_MACHINE..." echo "Copying CA certificate to $TARGET_MACHINE..."
-scp "$CA_CERT_PATH" root@"$TARGET_MACHINE":/usr/local/share/ca-certificates/+scp "$CA_CERT_PATH" root@"$TARGET_MACHINE":/tmp/ca.pem
  
-# Connect to the target machine and update CA certificates +# Connect to the target machine and determine the OS
-echo "Updating CA certificates on $TARGET_MACHINE..."+
 ssh root@"$TARGET_MACHINE" << 'EOF' ssh root@"$TARGET_MACHINE" << 'EOF'
-    echo "Updating CA certificates..." +    # Detect the OS 
-    update-ca-certificates+    if [ -f /etc/debian_version ]; then 
 +        echo "Detected Debian/Devuan system." 
 +        # Install the CA certificate 
 +        cp /tmp/ca.pem /usr/local/share/ca-certificates
 +        update-ca-certificates 
 +     
 +    elif [ -f /etc/redhat-release ]; then 
 +        echo "Detected Red Hat/CentOS system." 
 +        # Install the CA certificate 
 +        cp /tmp/ca.pem /etc/pki/ca-trust/source/anchors/ 
 +        update-ca-trust 
 +     
 +    elif [ "$(uname)" = "FreeBSD" ]; then 
 +        echo "Detected FreeBSD system." 
 +        # Install the CA certificate 
 +        cp /tmp/ca.pem /usr/local/share/certs/ca.pem 
 +        c_rehash /usr/local/share/certs/ 
 +     
 +    else 
 +        echo "Unsupported OS. Exiting." 
 +        exit 1 
 +    fi 
     echo "CA certificates updated successfully."     echo "CA certificates updated successfully."
 EOF EOF
  
 echo "CA certificate installation completed on $TARGET_MACHINE." echo "CA certificate installation completed on $TARGET_MACHINE."
-</code> 
  
-==== RedHat Based ==== 
-=== Manual === 
-<code bash> 
-cp pemfile /etc/pki/ca-trust/source/anchors/ 
-update-ca-trust 
 </code> </code>
  
-=== Automated === +===== MacOS =====
-The same script as Debian, but the temporary path to store and the command to update known CA's is different. Here is the full script.+
  
-<code bash updateRedHatCA> +MacOS is based on FreeBSD and could likely be detected by the generic script under the previous section, but I'll show manual here.
-#!/bin/bash+
  
-# Check if the required parameters are provided +==== GUI ====
-if [ $# -ne 2 ]; then +
-    echo "Usage: $0 <target_machine> <path_to_ca_cert>" +
-    echo "Example: $0 target_machine /path/to/ca.pem" +
-    exit 1 +
-fi+
  
-TARGET_MACHINE=$1 +  - Open Finder, then navigate to Applications | Utilities | Keychain Access. 
-CA_CERT_PATH=$2+  - Open File | Import Items 
 +  - Find your certificate and select Open 
 +  - Choose which keychain to import it to 
 +    - System - Available to all users 
 +    - login - Available only to the current user 
 +  - Locate the new Cert in the keychain and double click to open it 
 +  - Expand the **Trust** section 
 +  - Change //When using this certificate// to **Always Trust** 
 +  - Close and save, answering yes to all questions
  
-# Check if the CA certificate file exists locally 
-if [ ! -f "$CA_CERT_PATH" ]; then 
-    echo "CA certificate not found at $CA_CERT_PATH" 
-    exit 1 
-fi 
  
-# Copy the CA certificate to the target machine +==== Command Line ====
-echo "Copying CA certificate to $TARGET_MACHINE..." +
-scp "$CA_CERT_PATH" root@"$TARGET_MACHINE":/etc/pki/ca-trust/source/anchors/+
  
-# Connect to the target machine and update CA certificates +To install rapidly, simply open Terminal (Finder | Applications | Utilities | Terminal ) and issue the following commandYou'll need to make sure you know where the PEM file is.
-echo "Updating CA certificates on $TARGET_MACHINE..." +
-ssh root@"$TARGET_MACHINE" << 'EOF' +
-    echo "Updating CA certificates..." +
-    update-ca-trust +
-    echo "CA certificates updated successfully.+
-EOF+
  
-echo "CA certificate installation completed on $TARGET_MACHINE."+<code sh> 
 +sudo security add-trust-anchor -d -r trustAsRoot -k /Library/Keychains/System.keychain /path/to/ca.pem
 </code> </code>
software/openssl/installca.1760911957.txt.gz · Last modified: 2025/10/19 17:12 by rodolico