Import single cert into machine store

First time user, first time poster.
OpenSuse Leap 15-3

I need to import a machine certificate (somewhere). I have it in a .cer & .pem format. I am trying use a powershell command to connect to a host but it gives a certificate error. In windows I just simple import the cert into the personal store, and away I go.

I’ve tried to import this into the /etc/pki/trust/anchors folder and run update-certificate-ca but that doesn’t process anything.
In the script output it says “Unix LocalMachine X509Stores are read-only for all users.”.Exception.Message"

Hello and welcome to the openSUSE forums.

I can not answer your question (but I hope others know more about this subject). But, as an introduction to forums usage here, may I ask you to please show in a post, as much as possible, what you do and what you get. Thus people here can see what you saw and draw their conclusions. The best is copy/paste from the terminal emulation window (the prompt with the command, all output up to and including the next prompt) between CODE tags in a post. It is the # button in the tool bar of the post editor.
An example is here: Using CODE tags Around your paste.

Wrong location, place your .pem file in

/usr/share/pki/trust/anchors/

and execute

sudo update-ca-certificates**

**
Afterwards you can test your private site with **curl **for example.

Wrong. /usr is for packages, /etc is for local changes.

That may be the case but last I tried it, it simply did not work and no amount of tinkering would make, for example curl, it recognize the certificate unless I placed it in usr.

Either way in either or both locations /usr & /etc doesn’t work, curling the IP or FQDN still fails verification

 
tmoney@localhost:> ls /usr/share/pki/trust/anchors/
af60.pem


tmoney@localhost:> ls /etc/pki/trust/anchors/
af60.pem


tmoney@localhost:> sudo update-ca-certificates 


tmoney@localhost:> curl https://af60.redacteddomain.com
curl: (60) SSL certificate problem: self signed certificate
More details here: https://curl.haxx.se/docs/sslcerts.html


curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

Is certificate now present in output of “trust list”?

tmoney@localhost:> sudo update-ca-certificates 

tmoney@localhost:>

Is certificate now present in /etc/ssl/ca-bundle.pem and /etc/ssl/certs?

tmoney@localhost:> curl https://af60.redacteddomain.com
curl: (60) SSL certificate problem: self signed certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

Well, placing certificate in /etc/pki/trust/anchors should work (actually, because by default this location is monitored by changes even update-ca-certifcates is redundant, it is called automatically). I verified it once more by generating self signed certificate. So you need to troubleshoot it on your system. Start with providing information I requested.

And, BTW, obfuscating everything simply makes it impossible for us to check anything. The most obvious answer to your problem - server certificate is not af60.pem.

Yes it shows up under trust list.

tmoney@localhost:/etc/ssl/certs> trust list
    pkcs11:id=%da%b1%73%54%42%4f%0b%2b%26%c2%c3%7b%a9%86%27%58%d4%64%4c%60;type=cert
    type: certificate
    label: AF60.powerdesigninc.us
    trust: anchor
    category: other-entry

I also took the cert straight off the web, exported it as a p7b (even though it’s self signed and there’s no chain) and converted it using openssl to a pem. FWIW, I’ve also tried to do it as a .crt

You ignored my second question.

Let’s give it the last try. Show full output of

cat /etc/pki/trust/anchors/af60.pem
echo | openssl s_client -connect af60.redacteddomain.com:443 -showcerts
strace curl https://af60.redacteddomain.com

upload to https://susepaste.org/.

Here you go: https://susepaste.org/view/88268188

AFAIK that store matches, the pem is valid, and is what the server has

This file is malformed, closing line is missing.

stat("/var/lib/ca-certificates/openssl/155f263c.0", 0x7ffc71e3e100) = -1 ENOENT (No such file or directory)

I asked you whether certificate was actually present where OpenSSL looks for it. It is not.

its not missing the end certificate. It just didn’t show it in the cat of the file. When I vim it - it’s there. the cat, tried to wrap it around the console ~

VIM:

-----BEGIN CERTIFICATE-----
MIIEETCCAvmgAwIBAgIJAPagpeZqg669MA0GCSqGSIb3DQEBCwUAMGcxCzAJBgNV
BAYTAlVTMQswCQYDVQQIDAJDQTERMA8GA1UEBwwIU2FuIEpvc2UxFzAVBgNVBAoM
Dk5pbWJsZSBTdG9yYWdlMR8wHQYDVQQDDBZBRjYwLnBvd2VyZGVzaWduaW5jLnVz
MB4XDTE5MTAzMTE0MTE1MFoXDTI5MTAyODE0MTE1MFowZzELMAkGA1UEBhMCVVMx
CzAJBgNVBAgMAkNBMREwDwYDVQQHDAhTYW4gSm9zZTEXMBUGA1UECgwOTmltYmxl
IFN0b3JhZ2UxHzAdBgNVBAMMFkFGNjAucG93ZXJkZXNpZ25pbmMudXMwggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDT+upT7TiteAjJlKhwwqD/oV1Qk6u3
vnCn9jBGwfWkem6aZOCeDBd4lHE3YvzRJfd6+5oCdBRpFYhsu4Gf64i+05RMi6UD
wnR4MKNu1lyOAZ4Sm11nAj9AKfKXBXbNbIRgDAiqbudSkrlNmrrlfafSXnj1/xCc
mqoDHf2hTUCmh/6WvVHJ4GMoTX1OInQSmD+fAEmVHINK2Lv3LCM25ak6rQ4Jmp+K
HbAXEe6lc4SCaSHzbOEu2N57FH/V6N6McKV+MfNAkNnzfx4ACuAFXymofL+vt8a2
azf3OXXF2ZjHy6wN+QXIs6Br4jWXakOELhTj2QHHS+caK37jZd/U4mVtAgMBAAGj
gb8wgbwwCQYDVR0TBAIwADAdBgNVHQ4EFgQU2rFzVEJPCysmwsN7qYYnWNRkTGAw
HwYDVR0jBBgwFoAU2rFzVEJPCysmwsN7qYYnWNRkTGAwHQYDVR0lBBYwFAYIKwYB
BQUHAwEGCCsGAQUFBwMCMFAGA1UdEQRJMEeCIVRoZUdyZWVuTWFjaGluZS5wb3dl
cmRlc2lnbmluYy51c4IWQUY2MC5wb3dlcmRlc2lnbmluYy51c4cECgABZIcErBsB
yDANBgkqhkiG9w0BAQsFAAOCAQEAiTWU78xTckqD8imSdd48ArGG8s16SdliIhwg
QnkyN54fGQCECR90pry5/aPavfr7JadpSnLz/wMBhMESyp0dZ3RgKdJlMFC2NR/b
3XPfruit7mhZGYgJq/S2wUTxlAvfQKamqyEaH3PxeCbSB/8pweq/J1/DP1VY/ykf
tUSBCQl4lp65/xBG0afiSQOu4aYUEaTnClnib6kPhlwV7oEH6FtVQdCJz6b4yaYa
tiVwTae0qgb/5R7oEVRueVPclxtc53lO5lUIYDDadywEitb2TAxmBFroTqg7xIOT
8XR4Oj9g28zljVDqOxT1K/IbE8nIlKKrVVLy+Ec0Z1F4z8hp0g==
-----END CERTIFICATE-----

CAT:

tmoney@localhost:~> cat /etc/pki/trust/anchors/af60.pem 
-----BEGIN CERTIFICATE-----
MIIEETCCAvmgAwIBAgIJAPagpeZqg669MA0GCSqGSIb3DQEBCwUAMGcxCzAJBgNV
BAYTAlVTMQswCQYDVQQIDAJDQTERMA8GA1UEBwwIU2FuIEpvc2UxFzAVBgNVBAoM
Dk5pbWJsZSBTdG9yYWdlMR8wHQYDVQQDDBZBRjYwLnBvd2VyZGVzaWduaW5jLnVz
MB4XDTE5MTAzMTE0MTE1MFoXDTI5MTAyODE0MTE1MFowZzELMAkGA1UEBhMCVVMx
CzAJBgNVBAgMAkNBMREwDwYDVQQHDAhTYW4gSm9zZTEXMBUGA1UECgwOTmltYmxl
IFN0b3JhZ2UxHzAdBgNVBAMMFkFGNjAucG93ZXJkZXNpZ25pbmMudXMwggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDT+upT7TiteAjJlKhwwqD/oV1Qk6u3
vnCn9jBGwfWkem6aZOCeDBd4lHE3YvzRJfd6+5oCdBRpFYhsu4Gf64i+05RMi6UD
wnR4MKNu1lyOAZ4Sm11nAj9AKfKXBXbNbIRgDAiqbudSkrlNmrrlfafSXnj1/xCc
mqoDHf2hTUCmh/6WvVHJ4GMoTX1OInQSmD+fAEmVHINK2Lv3LCM25ak6rQ4Jmp+K
HbAXEe6lc4SCaSHzbOEu2N57FH/V6N6McKV+MfNAkNnzfx4ACuAFXymofL+vt8a2
azf3OXXF2ZjHy6wN+QXIs6Br4jWXakOELhTj2QHHS+caK37jZd/U4mVtAgMBAAGj
gb8wgbwwCQYDVR0TBAIwADAdBgNVHQ4EFgQU2rFzVEJPCysmwsN7qYYnWNRkTGAw
HwYDVR0jBBgwFoAU2rFzVEJPCysmwsN7qYYnWNRkTGAwHQYDVR0lBBYwFAYIKwYB
BQUHAwEGCCsGAQUFBwMCMFAGA1UdEQRJMEeCIVRoZUdyZWVuTWFjaGluZS5wb3dl
cmRlc2lnbmluYy51c4IWQUY2MC5wb3dlcmRlc2lnbmluYy51c4cECgABZIcErBsB
yDANBgkqhkiG9w0BAQsFAAOCAQEAiTWU78xTckqD8imSdd48ArGG8s16SdliIhwg
QnkyN54fGQCECR90pry5/aPavfr7JadpSnLz/wMBhMESyp0dZ3RgKdJlMFC2NR/b
3XPfruit7mhZGYgJq/S2wUTxlAvfQKamqyEaH3PxeCbSB/8pweq/J1/DP1VY/ykf
tUSBCQl4lp65/xBG0afiSQOu4aYUEaTnClnib6kPhlwV7oEH6FtVQdCJz6b4yaYa
tiVwTae0qgb/5R7oEVRueVPclxtc53lO5lUIYDDadywEitb2TAxmBFroTqg7xIOT
8XR4Oj9g28zljVDqOxT1K/IbE8nIlKKrVVLy+Ec0Z1F4z8hp0g==
-----END CERTIFICATE-----tmoney@localhost:~>

tmoney@localhost:~> sudo cp /etc/pki/trust/anchors/af60.pem /var/lib/ca-certificates/openssl/
[sudo] password for root: 
tmoney@localhost:~> echo | openssl s_client -connect AF60.powerdesigninc.us:443 -showcerts
CONNECTED(00000003)
depth=0 C = US, ST = CA, L = San Jose, O = Nimble Storage, CN = AF60.powerdesigninc.us
verify error:num=18:self signed certificate
verify return:1
depth=0 C = US, ST = CA, L = San Jose, O = Nimble Storage, CN = AF60.powerdesigninc.us
verify return:1
---
Certificate chain
 0 s:C = US, ST = CA, L = San Jose, O = Nimble Storage, CN = AF60.powerdesigninc.us
   i:C = US, ST = CA, L = San Jose, O = Nimble Storage, CN = AF60.powerdesigninc.us
-----BEGIN CERTIFICATE-----
MIIEETCCAvmgAwIBAgIJAPagpeZqg669MA0GCSqGSIb3DQEBCwUAMGcxCzAJBgNV
BAYTAlVTMQswCQYDVQQIDAJDQTERMA8GA1UEBwwIU2FuIEpvc2UxFzAVBgNVBAoM
Dk5pbWJsZSBTdG9yYWdlMR8wHQYDVQQDDBZBRjYwLnBvd2VyZGVzaWduaW5jLnVz
MB4XDTE5MTAzMTE0MTE1MFoXDTI5MTAyODE0MTE1MFowZzELMAkGA1UEBhMCVVMx
CzAJBgNVBAgMAkNBMREwDwYDVQQHDAhTYW4gSm9zZTEXMBUGA1UECgwOTmltYmxl
IFN0b3JhZ2UxHzAdBgNVBAMMFkFGNjAucG93ZXJkZXNpZ25pbmMudXMwggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDT+upT7TiteAjJlKhwwqD/oV1Qk6u3
vnCn9jBGwfWkem6aZOCeDBd4lHE3YvzRJfd6+5oCdBRpFYhsu4Gf64i+05RMi6UD
wnR4MKNu1lyOAZ4Sm11nAj9AKfKXBXbNbIRgDAiqbudSkrlNmrrlfafSXnj1/xCc
mqoDHf2hTUCmh/6WvVHJ4GMoTX1OInQSmD+fAEmVHINK2Lv3LCM25ak6rQ4Jmp+K
HbAXEe6lc4SCaSHzbOEu2N57FH/V6N6McKV+MfNAkNnzfx4ACuAFXymofL+vt8a2
azf3OXXF2ZjHy6wN+QXIs6Br4jWXakOELhTj2QHHS+caK37jZd/U4mVtAgMBAAGj
gb8wgbwwCQYDVR0TBAIwADAdBgNVHQ4EFgQU2rFzVEJPCysmwsN7qYYnWNRkTGAw
HwYDVR0jBBgwFoAU2rFzVEJPCysmwsN7qYYnWNRkTGAwHQYDVR0lBBYwFAYIKwYB
BQUHAwEGCCsGAQUFBwMCMFAGA1UdEQRJMEeCIVRoZUdyZWVuTWFjaGluZS5wb3dl
cmRlc2lnbmluYy51c4IWQUY2MC5wb3dlcmRlc2lnbmluYy51c4cECgABZIcErBsB
yDANBgkqhkiG9w0BAQsFAAOCAQEAiTWU78xTckqD8imSdd48ArGG8s16SdliIhwg
QnkyN54fGQCECR90pry5/aPavfr7JadpSnLz/wMBhMESyp0dZ3RgKdJlMFC2NR/b
3XPfruit7mhZGYgJq/S2wUTxlAvfQKamqyEaH3PxeCbSB/8pweq/J1/DP1VY/ykf
tUSBCQl4lp65/xBG0afiSQOu4aYUEaTnClnib6kPhlwV7oEH6FtVQdCJz6b4yaYa
tiVwTae0qgb/5R7oEVRueVPclxtc53lO5lUIYDDadywEitb2TAxmBFroTqg7xIOT
8XR4Oj9g28zljVDqOxT1K/IbE8nIlKKrVVLy+Ec0Z1F4z8hp0g==
-----END CERTIFICATE-----
---
Server certificate
subject=C = US, ST = CA, L = San Jose, O = Nimble Storage, CN = AF60.powerdesigninc.us


issuer=C = US, ST = CA, L = San Jose, O = Nimble Storage, CN = AF60.powerdesigninc.us


---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1593 bytes and written 506 bytes
Verification error: self signed certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-SHA384
    Session-ID: 621CE6FC84ABE3A69FBA821C40985CF2D7C59DEB5CB778C3F85CB1E8BD421B1A
    Session-ID-ctx: 
    Master-Key: 81CCF7E01F76140E6DB852C5605C337602E448A2311EEC25C98FBBD67A88135E1B8F2EB9C04584124B5D2ED2ACEB49E9
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1646061308
    Timeout   : 7200 (sec)
    Verify return code: 18 (self signed certificate)
    Extended master secret: yes
---
DONE

Adding it there looks like it fixed it? Would that be a correct assumption?

tmoney@localhost:~> curl --ssl https://AF60.powerdesigninc.us:443
curl: (60) SSL certificate problem: self signed certificate
More details here: https://curl.haxx.se/docs/sslcerts.html


curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

Still doesn’t work on the curl though.

Connecting to the Nimble array (ln:~351)
Get-ChildItem: /home/tmoney/.local/share/powershell/Modules/HPENimblePowerShellToolkit/3.2.0/scripts/helpers.ps1:631:20
Line |
 631 |  …               if((Get-ChildItem -Path Cert:\LocalMachine\root | Where …
     |                      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | Cannot find drive. A drive with the name 'Cert' does not exist.


Write-Error: /home/tmoney/.local/share/powershell/Modules/HPENimblePowerShellToolkit/3.2.0/scripts/helpers.ps1:85:18
Line |
  85 |                   ValidateServerCertificate $group
     |                   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | The security certificate presented by host AF60.powerdesigninc.us was not issued by a trusted certificate authority. Please verify the
     | certificate details shown below and use ImportServerCertificate command line parameter to proceed.    Thumbprint                          
     | Subject ----------                               ------- 05475D65E3FF3BD3E1968C6B678FC6B30744504F CN=AF60.powerdesigninc.us,
     | O=Nimble Storage, L=San Jose, S=CA, C=US


PS /home/tmoney/Documents/BB> 

And doesn’t work in the script either.

S /home/tmoney/Documents/BB> Connect-NSGroup -group AF60.powerdesigninc.us -credential $credObject -ImportServerCertificate


Write-Error: /home/tmoney/.local/share/powershell/Modules/HPENimblePowerShellToolkit/3.2.0/scripts/helpers.ps1:85:18
Line |
  85 |                   ValidateServerCertificate $group
     |                   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | Failed to import the server certificate    Exception calling "Open" with "1" argument(s): "Unix LocalMachine X509Stores are read-only for all
     | users.".Exception.Message

And because I know you’ll ask - this too - but this was my original Question - the x509 store is read only for all users?

This still means file is malformed (it is expected to be normal text file), but yes, OpenSSL will accept it.

tmoney@localhost:~> sudo cp /etc/pki/trust/anchors/af60.pem /var/lib/ca-certificates/openssl/

It does not work this way.

Adding it there looks like it fixed it? Would that be a correct assumption?

No.

Verification error: self signed certificate

Your certificate is explicitly prohibited from being used as CA certificate (IOW you cannot use this certificate to sign another certificates including itself), so it is not added to the list of CA certificates known to the OpenSSL. You can only trust this certificate by explicitly adding it to the list of exceptions, as long as your application permits it. Browsers allow it, but e.g. for Firefox it just bypasses “connection is not secure” prompt, it still marks connection to this server as not secure.

        X509v3 extensions:
            X509v3 Basic Constraints: 
                **CA:FALSE**

I have no idea what “x509 store” is.

I know that the .cer version of the .pem works because I can hit the REST API for the endpoint by doing this:

tmoney@localhost:~/Downloads> curl -i --cacert '/home/tmoney/Documents/BB/tmoney/Oracle/Clone-powershell/af60.cer' -X 'GET' https://af60.powerdesigninc.us:5392/versions
HTTP/1.1 200 OK
Connection: Keep-Alive
Content-Type: application/json;charset=utf-8
Date: Mon, 28 Feb 2022 18:53:01 GMT
Transfer-Encoding: chunked


{"data":{"name":"v1","software_version":"5.2.1.400-796142-opt"}
],"startRow":0,"endRow":1,"totalRows":1}tmoney@localhost:~/Downloads>

At this point I’m kind of done chasing my tail (and you yours) and I’ll just redo the entire process to use API instead of powershell scripting. It’ll be better in the long run anyways.

Yes, this happens when you never explain your actual problem.

instead of powershell scripting.

So at the end of the second page it finally looks like you have problem with PowerShell. How did you expect anyone to guess it before? And even now you still did not actually describe your problem beyond some random output of unknown commands.

I have no idea how Linux PowerShell implements certificate management, where these certificates are stored and whether everything discussed so far applies to it. I can also find no documentation for it.

This thread is perfect example how to not ask questions.

Dear sudoTMoney29.

Please read this How to ask questions the smart way. In the other parts of this article, there are also worthwhile advises (though not everything there is applicable to the openSUSE Forums).

Please note that people here are not mind readers. Nor is it to be assumed that everybody does something in the same way as you think being the “only logical way” to to something. Many people here are awful good in trying to understand what you are want to achieve and help you reaching your goal even if they never themselves have the same urge as you to do the same. Years of experience in bug searching enables them to help solving problems in areas they have never even touched. But they need information, information and information.

You don’t appear like you wish to help out of kindess. You seem a very spiteful person.

That being said it doesn’t matter what the PS script is or where it was coming from. The juxtaposition of the question is the same. I cannot curl a local endpoint from terminal. It doesn’t have anything to do with powershell. But I am willing to wager that if I was able to solve why I can’t curl from the native terminal from the DE, that my powershell cmdlet would work. Which is why the root of the problem still exists, which is why people post the way they do, to prevent major butt burn from someone who doesn’t do their process exactly like them. You sir are the reason people try to go OSS, and then leave and go back to native solutions instead of trying to break out of the cycle.I appreciate the help, but lose the attitude of better than thou. Meet the person where they are, and if you dont want to be kind and be helpful, then just dont help at all. I’d rather have gotten 0 replies than worked with you.

I have been watching this thread. And it seems to me that arvidjaar has been very patient in attempting to help you. But it is difficult to provide help without the relevant information. And now you have posted an unwarranted insult.

I’ll note that English is not the native language of arvidjaar. As a result, his replies might seem a little terse, but that is not spite.