Managing the SSL store
The SSL store contains the certificates of the Certification Authorities (CA) trusted by the gateway. It defines the root of trust of the gateway, and indirectly which connection it will consider as secured.
Add a CA certificate
You can add a new CA certificate to trust in the store.
Copy the certificate to the gateway at /usr/share/ca-certificates/extra/.
The certificate must be in PEM format. You can convert your certificate following this guide: https://www.sslshopper.com/ssl-converter.html.
Example: install the LE ISRG X1 certificate
Reference the certificate in the CA certificate store configuration file at /etc/ca-certificates.conf
.
Content of /etc/ca-certificate.conf
Finally, update the CA certificates store with:
Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done. Running hooks in /etc/ca-certificates/update.d... done.
The new certificate is now installed. You may need to restart the applications using the SSL store to make them include the newly installed certificate.
Remove a CA certificate
Mark the certificate to be deleted in the CA certificate store configuration file at /etc/ca-certificates.conf
(prefix the line with !
).
Update the CA certificates store with:
Update CA certificates
Updating certificates in /etc/ssl/certs... 0 added, 1 removed; done. Running hooks in /etc/ca-certificates/update.d... done.
You can then cleanup by removing the certificate from /usr/share/ca-certificates/extra
and the configuration entry in /etc/ca-certificates.conf
The new certificate is now installed. You may need to restart the applications using the SSL store to make them ignore the removed certificate.