4. Install the Certificate Authority Certificate¶
In this chapter we will explain how to find the Certificate Authority (CA) and how to install it on the server
4.1. Locate the CA certificate¶
If you are unable to find your CA certificate or your issuer did not provide one, below are the steps to locate and convert your CA.
Convert your .p12 certificate to a .pem certificate.
openssl pkcs12 -in certificate.p12 -out user.pem -clcerts -nokeys
Now open this .pem file and search for the CA certificate within this file.
openssl x509 -in user1.pem -text | grep CA
Use wget to download this certificate.
wget <certificate URL>
If the .crt is in binary format, convert it.
openssl x509 -inform DER -outform PEM -in binary.crt -out txt.crt
Now copy this certificate to the correct folder and update certificates.
4.2. Extract the CA certificate from PKCS #12¶
Another possibility is extracting CA certificate from your pkcs file. If the pkcs does not contain a CA certificate the output of your file will be empty.
openssl pkcs12 -in certificate.p12 -cacerts -nokeys -out ca.crt
We recommend using the CA certificate your certificate issuer provides.
4.3. Install the CA certificate¶
4.3.1. DEB based¶
Copy your CA certificate to the ca-certificate folder:
cp ca.crt /usr/local/share/ca-certificates
Update the certificates
update-ca-certificates -f -v
4.3.2. RPM based¶
Install the ca-certificates package:
yum install ca-certificates
Enable the dynamic CA configuration feature:
Convert your ca.crt to .pem format:
mv ca.crt ca.pem
Add it as a new file to /etc/pki/tls/certs/:
cp ca.pem /etc/pki/tls/certs/
Now regenerate the hash links so the system easily finds it:
Make sure your CA certificates can be read by the user which runs the web server, for example www-data on Debian and Ubuntu.