Hi jmozdzen
Thank you very much for your help!
https://forums.suse.com/showthread.php?10183-propagate-certificate-with-SAN-by-update-ca-certificates
I think you are right. My certificate isn’t a CA certificate, so ‘trust --filter=ca-anchors’ rejects it.
If I’d like to create a CA. Is there anything else beside the setting?
basicConstraints=CA:TRUE
basicConstraints=critical,CA:TRUE, pathlen:0
I have another question, why the certificate is accepted without v3_req?
Your help is really appreciated!
FYI
- could you please share the certificate details from running “openssl x509 -noout -text -in /etc/pki/trust/anchors/cert.pem”? Of course you can invalidate fields that contain information not intended for the public - I looking for all the flags set in the certificate.
openssl req -x509 -days 10000 -newkey rsa:2048 -nodes -config /tmp/openssl.conf -keyout $TMP_DIR/key.pem -out $TMP_DIR/cert.pem
Generating a 2048 bit RSA private key
…+++
…+++
writing new private key to ‘/tmp/key.pem’
more /tmp/cert.pem
-----BEGIN CERTIFICATE-----
MIIDqjCCApKgAwIBAgIJAPm2u4/S0JTfMA0GCSqGSIb3DQEBCwUAMHUxNzA1BgNV
BAMMLnNjLWJ1aWxkLXN0YWdlLXNpZ24tZGhjcC0xOC0yMzkuZW5nLnZtd2FyZS5j
b20xGjAYBgNVBAoMEVlvdXJDb21wYW55LCBJbmMuMREwDwYDVQQLDAhEaXZpc2lv
bjELMAkGA1UEBhMCVVMwHhcNMTcxMTE0MDgzODI5WhcNNDUwNDAxMDgzODI5WjB1
MTcwNQYDVQQDDC5zYy1idWlsZC1zdGFnZS1zaWduLWRoY3AtMTgtMjM5LmVuZy52
bXdhcmUuY29tMRowGAYDVQQKDBFZb3VyQ29tcGFueSwgSW5jLjERMA8GA1UECwwI
RGl2aXNpb24xCzAJBgNVBAYTAlVTMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAxg+QeKGJzAbQri10fuM+ZIUXd9qLEKsTT7YH/kfW166WmbzP4IVrCdOE
cMPLn8h/U0HuQOxc0KzUqbpZ0ppyQtPRpJOCO9Qcx+0qGQDnT8blGZdXtjAEHurC
xhzOK7pzNcGVOKo/7losw4gsRs09BCL+LnallNJmf0btPwE1Z8TWhsS6dJyRplci
rGCJzPDk/OF1bD6cr8hLYR+x7Di6VrP71DIYSQreRd8uQwII3bF9UDdtUidWayOe
Lnq/rhkpVUPfKlIKI5FYZsXsWV/dYfnvoBn7QzGpxmUqqxD2Ot49N93/2V8nb95j
EiuG9e53Tv+ZXWaYzw17bgx/cduNnwIDAQABoz0wOzA5BgNVHREEMjAwgi5zYy1i
dWlsZC1zdGFnZS1zaWduLWRoY3AtMTgtMjM5LmVuZy52bXdhcmUuY29tMA0GCSqG
SIb3DQEBCwUAA4IBAQBVsnxXBz3bPiA+LEDNM5S10HI8qcxlM7zWoRtIX1zgKSAy
Ys7Frk/GxzwWVQ8JLCRr/spXeGVOatPgL4AtCuF0NbCBxv44GmJOkLwuKe9gjBXf
C9C1OzMV5V84WBbaqCqoVmKTnoo5EbhCOwMlx7yuZc6ymTRzm3hHzvSf5wF0s2Dy
XunSzv/L9u/YpyET80/e3fLJj1BfPy1xQ/rxnas+Yxjl8XgUCjdH7HuRoOsgT956
Un+kV9pR25L852TBNhGeCqFApk3N97U4IuIcqC2ry9M8uiSyysboNotT9CLs+byR
7YUSV4ii+PhMVXI/M/6X+Y+dB6flMS5/ccNS+YE2
-----END CERTIFICATE-----
- Also, does running “update-ca-certificates -v” give any helpful information?
I don’t think verbose info is helpful. I edited /usr/lib/ca-certificates/update.d/80etc_ssl.run to print trust command.
update-ca-certificates -v
running /usr/lib/ca-certificates/update.d/50java.run …
creating /var/lib/ca-certificates/java-cacerts …
running /usr/lib/ca-certificates/update.d/70openssl.run …
creating /var/lib/ca-certificates/openssl …
running /usr/lib/ca-certificates/update.d/80etc_ssl.run …
trust extract --purpose=server-auth --filter=ca-anchors --format=pem-directory -f /var/lib/ca-certificates/pem
running /usr/lib/ca-certificates/update.d/99certbundle.run …
creating /var/lib/ca-certificates/ca-bundle.pem …