Differences

This shows you the differences between two versions of the page.

--- software:openssl:installca [2025/10/19 17:15] – rodolico
+++ software:openssl:installca [2025/10/19 18:38] (current) – rodolico
@@ Line 119: / Line 119: @@
 ==== Debian derivatives ====
-=== Manual ===
+<code bash>
-<code bash installDebianCA>
 sudo cp ca.pem /usr/local/share/ca-certificates/
 sudo update-ca-certificates
 </code>
-=== Automated ===
-  - Place PEM file in a server with access to other machines (like an ansible server)
-  - Requires root access on all target machines
-  - Run the following script for each machine
-<code bash>
-./installDebianCA targetMachine /path/to/cert.pm
-</code>
-<code bash installDebianCA>
-#!/bin/bash
-# Check if the required parameters are provided
-if [ $# -ne 2 ]; then
-    echo "Usage: $0 <target_machine> <path_to_ca_cert>"
-    echo "Example: $0 target_machine /path/to/ca.pem"
-    exit 1
-fi
-TARGET_MACHINE=$1
-CA_CERT_PATH=$2
-# Check if the CA certificate file exists locally
-if [ ! -f "$CA_CERT_PATH" ]; then
-    echo "CA certificate not found at $CA_CERT_PATH"
-    exit 1
-fi
-# Copy the CA certificate to the target machine
-echo "Copying CA certificate to $TARGET_MACHINE..."
-scp "$CA_CERT_PATH" root@"$TARGET_MACHINE":/usr/local/share/ca-certificates/
-# Connect to the target machine and update CA certificates
-echo "Updating CA certificates on $TARGET_MACHINE..."
-ssh root@"$TARGET_MACHINE" << 'EOF'
-    echo "Updating CA certificates..."
-    update-ca-certificates
-    echo "CA certificates updated successfully."
-EOF
-echo "CA certificate installation completed on $TARGET_MACHINE."
-</code>
 ==== RedHat Based ====
-=== Manual ===
 <code bash>
 cp pemfile /etc/pki/ca-trust/source/anchors/
@@ Line 177: / Line 131: @@
 </code>
-=== Automated ===
-The same script as Debian, but the temporary path to store and the command to update known CA's is different. Here is the full script.
-<code bash updateRedHatCA>
+===== Automated for Unix =====
-#!/bin/bash
-# Check if the required parameters are provided
+The following script is suitable for use from a centralized server which has root access via ssh to multiple Unix machines. This is written for something like an Ansible server.
-if [ $# -ne 2 ]; then
-    echo "Usage: $0 <target_machine> <path_to_ca_cert>"
-    echo "Example: $0 target_machine /path/to/ca.pem"
-    exit 1
-fi
-TARGET_MACHINE=$1
+It will detect Debian and RedHat based Linux, and FreeBSD Unix.
-CA_CERT_PATH=$2
-# Check if the CA certificate file exists locally
+It will
-if [ ! -f "$CA_CERT_PATH" ]; then
+  - copy pem file to the /tmp directory on the target machine
-    echo "CA certificate not found at $CA_CERT_PATH"
+  - Attempt to detect the operating system type
-    exit 1
+    - If successful, copy pem to appropriate directory and run udpate command
-fi
+    - Otherwise, give an error message
-# Copy the CA certificate to the target machine
+Called as
-echo "Copying CA certificate to $TARGET_MACHINE..."
+<code bash>
-scp "$CA_CERT_PATH" root@"$TARGET_MACHINE":/etc/pki/ca-trust/source/anchors/
+./updateCALinux target /local/path/to/ca.pem
-# Connect to the target machine and update CA certificates
-echo "Updating CA certificates on $TARGET_MACHINE..."
-ssh root@"$TARGET_MACHINE" << 'EOF'
-    echo "Updating CA certificates..."
-    update-ca-trust
-    echo "CA certificates updated successfully."
-EOF
-echo "CA certificate installation completed on $TARGET_MACHINE."
 </code>
-==== Automated for RedHat or Debian ====
 <code bash updateCALinux>
 #!/bin/bash
@@ Line 243: / Line 177: @@
     if [ -f /etc/debian_version ]; then
         echo "Detected Debian/Devuan system."
-        # Copy the CA certificate
+        # Install the CA certificate
         cp /tmp/ca.pem /usr/local/share/ca-certificates/
-        # Update CA certificates
         update-ca-certificates
     elif [ -f /etc/redhat-release ]; then
         echo "Detected Red Hat/CentOS system."
-        # Copy the CA certificate
+        # Install the CA certificate
         cp /tmp/ca.pem /etc/pki/ca-trust/source/anchors/
-        # Update CA certificates
         update-ca-trust
+    elif [ "$(uname)" = "FreeBSD" ]; then
+        echo "Detected FreeBSD system."
+        # Install the CA certificate
+        cp /tmp/ca.pem /usr/local/share/certs/ca.pem
+        c_rehash /usr/local/share/certs/
     else
         echo "Unsupported OS. Exiting."
         exit 1
     fi
     echo "CA certificates updated successfully."
 EOF
@@ Line 264: / Line 205: @@
 </code>
+===== MacOS =====
+MacOS is based on FreeBSD and could likely be detected by the generic script under the previous section, but I'll show manual here.
+==== GUI ====
+  - Open Finder, then navigate to Applications | Utilities | Keychain Access.
+  - Open File | Import Items
+  - Find your certificate and select Open
+  - Choose which keychain to import it to
+    - System - Available to all users
+    - login - Available only to the current user
+  - Locate the new Cert in the keychain and double click to open it
+  - Expand the **Trust** section
+  - Change //When using this certificate// to **Always Trust**
+  - Close and save, answering yes to all questions
+==== Command Line ====
+To install rapidly, simply open Terminal (Finder | Applications | Utilities | Terminal ) and issue the following command. You'll need to make sure you know where the PEM file is.
+<code sh>
+sudo security add-trust-anchor -d -r trustAsRoot -k /Library/Keychains/System.keychain /path/to/ca.pem
+</code>