On Wed, Dec 13, 2023 at 10:52 PM Jeffrey Walton <noloa...@gmail.com> wrote: > > On Wed, Dec 13, 2023 at 9:58 PM Pocket <poc...@columbus.rr.com> wrote: > > > > On 12/13/23 21:47, Jeffrey Walton wrote: > > > On Wed, Dec 13, 2023 at 7:55 PM Pocket <poc...@columbus.rr.com> wrote: > > >> What formats does certs need to be to work with update-ca-certificates? > > >> > > >> PEM or DER? > > > PEM > > > > Ok since I am using an intermediate cert to sign, I am creating a > > combined PEM with the root CA and the intermediate cert like this > > > > cat "$directory"/certs/intermediate.cert.pem > > "$ca_directory"/certs/ca.cert.pem > "$directory"/certs/ca-chain.cert.pem > > > > Will that work or does the cert have to be a single cert? > > I don't recall. I use one file for each certificate. > > Oh, and the file extension should be *.crt, not *.pem. > > > >> I have just finished writing some scripts to generate certs for my email > > >> server and nginx server. > > >> > > >> [...] > > >> Will pem format type certs work? > > > Yes. > > > > > > You should also place the certificates in > > > /usr/local/share/ca-certificates . Make the directory if it does not > > > exist. And then run update-ca-certificates from the directory. > > > > That sub directory does indeed exist, so I need to run > > update-cert-certificates from > > > > /usr/local/share/ca-certificates or can I just run update-cert-certificates > > as root? > > I don't recall. I run update-ca-certificates from > /usr/local/share/ca-certificates as root. > > You might also be interested in update-ca-certificates(8) at > <https://manpages.debian.org/buster/ca-certificates/update-ca-certificates.8.en.html>, > and OpenSSL's c_rehash at > <https://github.com/openssl/openssl/blob/master/tools/c_rehash.in>. In > the past, I believe update-ca-certificates relies upon c_rehash for > some operations.
I submitted a PR to update the documentation. The existing docs were missing some useful options, and did not say how to add certificates in a meaningful way. Also see <https://salsa.debian.org/debian/ca-certificates/-/merge_requests/11> and <https://salsa.debian.org/debian/ca-certificates/-/merge_requests/12>. Jeff
