Corporate SSL Cert

Hi Guys,

Can you please tell me if there is a way to import our Corporate SSL Cert to Tumbleweed ?

I tried copying both .pem and .crt to file to /etc/pki/trust/anchors/ & /usr/share/pki/trust/ followed by update-ca-certificates command. But it doesn’t look like it imports the file.

Any help is appreciated.

Regards,
Saurabh

First,
You need to inspect the cert to identify its authorized uses and any extensions.

Then,
You need to describe for what purpose you intend to use the certificate. Some applications might be able to access and use a certificate in a certificate store, but in my experience x509 certificates are usually installed/imported into specific applications.

TSU

So in past (on Arch Linux / Ubuntu ) i have imported the same cert to respective distro’s cert store and that has allowed me use following applications without any issues.

  1. Firefox
  2. aws-cli

For firefox my current workaround on TW is to import cert but that seems unnecessary additional step.
aws-cli does not work unless I specify the flas to ignore ssl.

I would love to know how to properly import the cert to TW’s cert store.

Regards,
Saurabh

How exactly you determine it? What command you run, what is the result of this command?

Commands I ran are as below

sudo cp certfile /etc/ssl/certs/
sudo update-ca-certificates

sudo cp certfile /etc/pki/trust/
sudo update-ca-certificates

sudo cp certfile /etc/pki/trust/anchors/
sudo update-ca-certificates

sudo cp certfile /usr/share/pki/trust/
sudo update-ca-certificates

sudo cp certfile /usr/share/pki/trust/anchors/
sudo update-ca-certificates

After running update-ca-certificate I believe it should say “Certificated Added” but in my case it doesn’t produce any output.sudo cp certfile

No, it should not.

Understand.
But can you confirm which one of those commands are actually the one I should use ?

Yes, placing CA certificate (you still did not explain, what certificate you are trying to “import”) in /etc/pki/trust/anchors and running update-ca-certificates is standard way to make it available to some programs. But every program is free to ignore this location. Notable example is mozilla/firefox which does not have notion of central system-wide CA certificates location at all.

/usr/share is intended for stuff installed by packages and may be overwritten/deleted on updates so you should not use it for local modifications. And /etc/ssl is generated from /{etc,usr/share}/pki content by update-ca-certificate and is used only by some programs.

Both programs you list are not supposed to work with certificates unless you import them individually into the application.

First… Firefox.
Ordinarily, 2-way SSL is not implemented, it’s uncommon but possible.
So, your first step is to verify that your Server is using your corporate cert to authenticate the User… That means that your corporate Admins are generating individual certs for each and every User from their own CA and then distributing your <personal> cert to you.
This is completely different than giving you the public CA cert for the webserver so that your machine automatically trusts the Server and you’re not prompted by a warning that the website is untrusted. For this common scenario, you simply import the cert into your browser certificate store in the Advanced Settings.
This second scenario is very common, the first scenario is not although possible.

Next, the AWS cert.
The AWS documentation describes how to run the “configure” command to import your cert into that app. Note that unless your Admins configured your corporate cert to be used on the AWS server, you should be using a different cert. Normally AWS certs are generated by AWS, not your corporate CA.
http://docs.aws.amazon.com/cli/latest/userguide/awscli-install-linux.html

HTH,
TSU

Thank you for that detail. Our company enforces SSL decryption of all traffic. The SSL cert is generated on our Firewall and is needed to be installed on every system in order for SSL decryption to work. The downside is that, in case you don’t have the cert installed, you cannot even browse the web or download / install OS updates.
I will give this another try and will report back. Thank you.

You are mistaken What needs to be installed is root certificate of CA that signed it, not certificate itself. For self-signed certificate it means certificate itself, but it does not change the general rule.

As it is about browsing, we a back on square one - how do you check that import was not successful. I already told you that what you did would not work for Firefox. It also would not work with Chrome or Chromium. The first two use certificate store in user profile. The latter is using (or at least can use) system-wide certificate store, but it is not updated by update-ca-certificates.

“All Traffic” is pretty broad.

As arvidjaar and I posted earlier,
Web browsers should have the public key from the CA installed in each web browser’s certificate store for normal SSL encryption only.
If the Firewall is a Proxy firewall, then you may also need to configure SOCKS proxy configuration settings… If those settings aren’t already set up to be automatically distributed over your network. Web browsers and email clients are common apps that support SOCKS configuration.

SSL can be used <only> for encrypted connections, and some setups do only that.
But, SSL can also be used to do other things…

  • Verify the identity of the Server. This is commonly seen when you connect to remote websites, sometimes the address bar will even turn red if phishing is detected and green if the website is verified.
  • Verify the User. As I described, this is uncommon but possible. In a LAN other certificates or tokens like Kerberos can be used to verify identity of the authorized client, this would be separate from possible SSL or other VPN tunneling.

TSU

Sorry it took me this long to reply but I think I have found my answer. Please correct me in case this is wrong approach.

I copied our companies Self Signed SSL (Generated at the Firewall) to following directory


sudo cp companycert.crt /etc/pki/trust/anchors 
sudo update-ca-certificates

Now programs such as awscli, pip3, curl are able to access resources that are served via ssl.
I may be wrong in using this directory, but this is what worked for me. Looking forward to your thoughts.

Sorry it took me this long to reply but I think I have found my answer. Please correct me in case this is wrong approach.

I copied our companies Self Signed SSL (Generated at the Firewall) to following directory


sudo cp companycert.crt /etc/pki/trust/anchors 
sudo update-ca-certificates

Now programs such as awscli, pip3, curl are able to access resources that are served via ssl.
I may be wrong in using this directory, but this is what worked for me. Looking forward to your thoughts.