Entrust a certificate

Hello, how can I trust a Fiddler .crt certificate in OpenSUSE? I trusted it in Kleopatra but it seems like Kleopatra is not used at all.
Official doc says, I need to do it this way:

$ sudo mkdir /usr/share/ca-certificates/extra
$ sudo cp ~/Desktop/FiddlerRootCertificate.crt /usr/share/ca-certificates/extra
$ sudo dpkg-reconfigure ca-certificates

or for Fedora:

cp ~/Desktop/FiddlerRootCertificate/etc/pki/ca-trust/source/anchors/

update-ca-trust

But I don’t have update-ca-trust or dpkg-reconfigure

You can look at “/usr/share/doc/packages/ca-certificates/README”

Basically, put the cert in “/usr/share/pki/trust/anchors” and then run “update-ca-certificates”.

Thanks. But looks like it’s not enough for Fiddler as for now.

Can you do a “trust list” and check if the FiddlerRootCertificate is in that list?

If not, you should retry adding it.
If it is, Fiddler is using some non-standard way to access the certificates and we need to find more on that.

I think it requires that the cert be in PEM form. If it is in some other format such as DER, you can use “openssl” to convert to PEM.

It is .cer, I converted it with

openssl x509 -inform der -in FiddlerRootCertificate.crt -out FiddlerRootCertificate.pem

and copied to

/usr/share/pki/trust/anchors

but it didn’t help.

Currently I have troubles with Cisco Anyconnect: I put all original (.cert) and converted (.pem) certificates there

/opt/.cisco/certificates/ca/

like it said it the manual

and also there

/usr/share/pki/trust/anchors

but it didn’t help.

Sorry, what do you mean? I use Fiddler Anywhere and didn’t find the “trust list”.
(Years ago I used Fiddler with Mono and it worked well within Wine but don’t want to install Wine now).

$ trust list | head 
pkcs11:id=%D2%87%B4%E3%DF%37%27%93%55%F6%56%EA%81%E5%36%CC%8C%1E%3F%BD;type=cert 
    type: certificate 
    label: ACCVRAIZ1 
    trust: anchor 
    category: authority 

pkcs11:id=%F7%7D%C5%FD%C4%E8%9A%1B%77%64%A7%F5%1D%A0%CC%BF%87%60%9A%6D;type=cert 
    type: certificate 
    label: AC RAIZ FNMT-RCM 
    trust: anchor

As usual, this path is for distribution packages. Local additions should go into /etc/pki/trust/anchors

and then run “update-ca-certificates”.

Of course not. After that you need to update various certificates stores as instructed above.

Yes, it’s there. Also my Cisco Anyconnect certificate is present in the

trust list
    type: certificate
    label: DO_NOT_TRUST_FiddlerRoot
    trust: anchor
    category: authority

I tried to copy .pem certs there and lauched

update-ca-certificates

But still can’t connect with Cisco Anyconnect

Security policies were applied to your session, access to some resources may be blocked. Your system administrator provided the following information to help you understand and remedy the security conditions:


Workstation not in domain


Altiris not running

Hm, it looks like it tried to find some Symantec software that is installed on Mac. But it works with Windows.

Do you have file /etc/ssl/certs/DO_NOT_TRUST_FiddlerRoot.pem? If not, did you run update-ca-certificates as you have been told several times already? Does file /etc/ssl/certs/DO_NOT_TRUST_FiddlerRoot.pem exist after running update-ca-certficates?

And why do you think it is related to “missing” certificate? I do not see any indication of it in messages you posted. You started with question how to add custom certificate to trusted roots and now you suddenly jump to problem with some software without any explanation how this problem is related to your question.

Did you manage to trust your man-in-the-middle certificate or not?

Yes, I have

sudo nano /etc/ssl/certs/DO_NOT_TRUST_FiddlerRoot.pem

yeah, sorry, maybe it’s not a certificate problem but this message I got since the first Cisco launch. I just wrote that this issue can be not with a cert.

Probably better to start a new thread with in the title “Cisco Anyconnect” plus a short summary of the problem.

In the message please share how you did install anyconnect, how how start it and what is the exact error message, if it is done via a GUI, a screen capture would be nice.