propagate certificate with SAN by update-ca-certificates

SUSE Product Topics SLES Configure-Administer
1

I’ve a self-signed certificate in /etc/pki/trust/anchors/, and would like to propagate it to certificate stores used by openssl /var/lib/ca-certificates/.
My certificate is created with subjectAltName, but update-ca-certificates failed to propagate it to /var/lib/ca-certificates/*/
Is there anything wrong? Thanks!

-------------openssl.conf -------
[req]
distinguished_name=user_dn
x509_extensions=v3_req
prompt=no

[user_dn]
commonName=stage-host-18.xxx.com
organizationName=YourCompany, Inc.
organizationalUnitName=Division
countryName=US

[v3_req]

Extensions to add to a certificate request

subjectAltName = @alt_names

[alt_names]
DNS.1 = stage-host-18.xxx.com
-------------end --------------
The command I used:
% openssl req -x509 -days 10000 -newkey rsa:2048 -nodes -config /tmp/openssl.conf -keyout $TMP_DIR/key.pem -out $TMP_DIR/cert.pem
% cp $TMP_DIR/cert.pem /etc/pki/trust/anchors/
% update-ca-certificates

But the cert isn’t exported to /var/lib/ca-certificates/pem.
If I comment out ‘x509_extensions=v3_req’, the new generated CA could be exported.
Is there anything I msised?

The steps/conf works on ubuntu. What’s special of sles12’s ca-certificates package?

The doc I referred:
https://www.suse.com/releasenotes/x86_64/SUSE-SLES/12/#fate-317835

2

Hi dyw,

could you please share the certificate details from running “openssl x509 -noout -text -in /etc/pki/trust/anchors/cert.pem”? Of course you can invalidate fields that contain information not intended for the public - I looking for all the flags set in the certificate.

Also, does running “update-ca-certificates -v” give any helpful information?

As far as I can tell, updadate-ca-certificates relies on “/usr/bin/trust” to actually select which certificates to handle, I guess that this has its requirements on what it sees as a CA certificate. You may want to manually invoke that (https://p11-glue.freedesktop.org/doc/p11-kit/trust.html), to add your certificate and see if any helpful details are made available.

Regards,
J

3

Hi jmozdzen
Thank you very much for the help!
Your reply really resolved my problem.
My certificate isn’t a CA certificate, so ‘trust --filter=ca-anchors’ rejects it.

I have another question, why my certificate without v3_req is trusted and propagated to /var/lib/ca-certificates/pem by “update-ca-certificates”?
It is a ca certificate without v3_req setting?