propagate certificate with SAN by update-ca-certificates

I’ve a self-signed certificate in /etc/pki/trust/anchors/, and would like to propagate it to certificate stores used by openssl /var/lib/ca-certificates/.
My certificate is created with subjectAltName, but update-ca-certificates failed to propagate it to /var/lib/ca-certificates/*/
Is there anything wrong? Thanks!

-------------openssl.conf -------

organizationName=YourCompany, Inc.


Extensions to add to a certificate request

subjectAltName = @alt_names

DNS.1 =
-------------end --------------
The command I used:
% openssl req -x509 -days 10000 -newkey rsa:2048 -nodes -config /tmp/openssl.conf -keyout $TMP_DIR/key.pem -out $TMP_DIR/cert.pem
% cp $TMP_DIR/cert.pem /etc/pki/trust/anchors/
% update-ca-certificates

But the cert isn’t exported to /var/lib/ca-certificates/pem.
If I comment out ‘x509_extensions=v3_req’, the new generated CA could be exported.
Is there anything I msised?

The steps/conf works on ubuntu. What’s special of sles12’s ca-certificates package?

The doc I referred:

Hi dyw,

could you please share the certificate details from running “openssl x509 -noout -text -in /etc/pki/trust/anchors/cert.pem”? Of course you can invalidate fields that contain information not intended for the public - I looking for all the flags set in the certificate.

Also, does running “update-ca-certificates -v” give any helpful information?

As far as I can tell, updadate-ca-certificates relies on “/usr/bin/trust” to actually select which certificates to handle, I guess that this has its requirements on what it sees as a CA certificate. You may want to manually invoke that (, to add your certificate and see if any helpful details are made available.


Hi jmozdzen
Thank you very much for the help!
Your reply really resolved my problem.
My certificate isn’t a CA certificate, so ‘trust --filter=ca-anchors’ rejects it.

I have another question, why my certificate without v3_req is trusted and propagated to /var/lib/ca-certificates/pem by “update-ca-certificates”?
It is a ca certificate without v3_req setting?