Managing the SSL store
The SSL store contains the certificates of the Certification Authorities (CA) trusted by the gateway. It defines the root of trust of the gateway, and indirectly which connection it will consider as secured.
Add a CA certificate
You can add a new CA certificate to trust in the store.
Copy the certificate to the gateway at /usr/share/ca-certificates/extra/.
The certificate must be in PEM format. You can convert your certificate following this guide: https://www.sslshopper.com/ssl-converter.html.
Example: install the LE ISRG X1 certificate
sudo mkdir -p /usr/share/ca-certificates/extra
sudo wget https://letsencrypt.org/certs/isrgrootx1.pem -O /usr/share/ca-certificates/extra/isrgrootx1.crt
Reference the certificate in the CA certificate store configuration file at /etc/ca-certificates.conf
.
echo 'extra/isrgrootx1.crt' | sudo tee -a /etc/ca-certificates.conf
Content of /etc/ca-certificate.conf
# Lines starting with # will be ignored
# Lines starting with ! will remove certificate on next update
#
mozilla/ACCVRAIZ1.crt
mozilla/AC_RAIZ_FNMT-RCM.crt
mozilla/AC_RAIZ_FNMT-RCM_SERVIDORES_SEGUROS.crt
[...]
mozilla/USERTrust_ECC_Certification_Authority.crt
mozilla/USERTrust_RSA_Certification_Authority.crt
mozilla/XRamp_Global_CA_Root.crt
extra/isrgrootx1.crt
Finally, update the CA certificates store with:
sudo update-ca-certificates
Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done. Running hooks in /etc/ca-certificates/update.d... done.
The new certificate is now installed. You may need to restart the applications using the SSL store to make them include the newly installed certificate.
Remove a CA certificate
Mark the certificate to be deleted in the CA certificate store configuration file at /etc/ca-certificates.conf
(prefix the line with !
).
# Lines starting with # will be ignored
# Lines starting with ! will remove certificate on next update
#
mozilla/ACCVRAIZ1.crt
mozilla/AC_RAIZ_FNMT-RCM.crt
mozilla/AC_RAIZ_FNMT-RCM_SERVIDORES_SEGUROS.crt
[...]
mozilla/USERTrust_ECC_Certification_Authority.crt
mozilla/USERTrust_RSA_Certification_Authority.crt
mozilla/XRamp_Global_CA_Root.crt
!extra/isrgrootx1.crt
Update the CA certificates store with:
Update CA certificates
sudo update-ca-certificates
Updating certificates in /etc/ssl/certs... 0 added, 1 removed; done. Running hooks in /etc/ca-certificates/update.d... done.
You can then cleanup by removing the certificate from /usr/share/ca-certificates/extra
and the configuration entry in /etc/ca-certificates.conf
The new certificate is now installed. You may need to restart the applications using the SSL store to make them ignore the removed certificate.