James Pearson
2020-Jun-29 17:40 UTC
[CentOS] Adding root CA certificates for use by NSS applications?
I'm trying to get a third party application to use the root CA certificate of an SSL proxy - but can't work out how to install the cert for use by all users on CentOS 7 I have the proxy vendor's supplied CA cert in PEM format I can install the cert in a user's home directory using 'certutil' - and the application works OK - but I would like to do 'something' to install this cert somewhere central that will be picked up by all users After a bit of Googling, I've found that by default, EL7 uses 'p11-kit-trust.so' (from the p11-kit-trust package) as a drop-in replacement for the nss supplied 'libnssckbi.so' (via 'alternatives') - which, I believe, should be able to pick up CA certs installed under /etc/pki/ca-trust/source/anchors/ Strace'ing the app, I can see it reading the files under /etc/pki/ca-trust/source/... including the required CA cert - but the app fails to connect - but I have no idea what might be wrong ... Am I missing something obvious here? Is there an easier way to achieve what I want? Thanks James Pearson
Possibly Parallel Threads
- dovecot + centos 7 + internal ca + hostname change
- Backspace key does not work in a ssh chroot jail
- NSS Tools certutil buggy ? Centos 6 nss-tools-3.18.0
- NSS on Debian Stretch with libnss3: Can not initialize SSL context
- [Bug 3613] New: Unable to sign using certificates and PKCS#11