Root CA certificates need to be added to your local trust list when working with PKI. We will examine how to add root CA certificate and optionally some intermediate certificates to the trust store.
Quick solution
First step of importing root certificate in Ubuntu is to make sure it is PEM format, ends with .crt and copying to /usr/local/share/ca-certificates.
Second step is running update-ca-certificates command
See more detailed info below
Signature and certificate debugging
Openssl is very handy tool for everything related to PKI, Digital Signatures and Certificates.
$ openssl verify 38112086027.cer
C = EE, O = ESTEID, OU = digital signature, CN = "PALA,MARGUS,38112086027", SN = PALA, GN = MARGUS, serialNumber = 38112086027
error 20 at 0 depth lookup: unable to get local issuer certificate
error 38112086027.cer: verification failed
Certificate was not verified and to make it trusted we need to import issuer CA and add it to local trust store. To resolve this issue then lets first examine signer certificate and find the Issuer CA certificate. For this I exported the certificate from my ID card and examined it with openssl.
$ openssl x509 -in 38112086027.cer -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
38:c9:bf:d0:94:7b:ce:2d:5a:02:b7:04:82:31:37:3d
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = EE, O = AS Sertifitseerimiskeskus, organizationIdentifier = NTREE-10747013, CN = ESTEID-SK 2015
Validity
Not Before: Nov 8 07:49:24 2017 GMT
Not After : Oct 12 20:59:59 2022 GMT
Subject: C = EE, O = ESTEID, OU = digital signature, CN = "PALA,MARGUS,38112086027", SN = PALA, GN = MARGUS, serialNumber = 38112086027
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (384 bit)
pub:
04:24:ee:a0:9a:84:86:60:6c:f9:58:07:99:8e:08:
04:c1:e0:cf:30:d6:47:07:8f:9f:82:fb:89:ca:fc:
ff:d3:89:69:5a:56:ef:a0:2c:9a:51:2c:ab:67:32:
6b:8f:57:b2:26:02:cb:c1:93:b6:87:a4:fb:f6:1d:
ff:75:bc:ca:a9:40:77:01:2f:2d:e3:89:1c:11:70:
20:e7:26:e3:4f:3f:41:f8:10:94:11:7b:59:0a:60:
d1:b4:e9:ca:6b:08:28
ASN1 OID: secp384r1
NIST CURVE: P-384
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage: critical
Non Repudiation
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.10015.1.1
CPS: https://www.sk.ee/repositoorium/CPS
Policy: 0.4.0.194112.1.2
X509v3 Subject Key Identifier:
50:3E:E0:D1:06:12:9F:B4:EF:98:C0:D6:06:9B:50:FB:74:C8:70:0F
qcStatements:
0|0......F..0......F..0Q.....F..0G0E.?https://sk.ee/en/repository/conditions-for-use-of-certificates/..EN0......F..0......F...
X509v3 Authority Key Identifier:
keyid:B3:AB:88:BC:99:D5:62:A4:85:2A:08:CD:B4:1D:72:3B:83:72:47:51
Authority Information Access:
OCSP - URI:http://aia.sk.ee/esteid2015
CA Issuers - URI:http://c.sk.ee/ESTEID-SK_2015.der.crt
X509v3 CRL Distribution Points:
Full Name:
URI:http://www.sk.ee/crls/esteid/esteid2015.crl
Signature Algorithm: sha256WithRSAEncryption
0b:0f:47:a4:bd:7f:27:99:f5:3f:26:0a:98:9d:b3:1e:ed:22:
....
e6:ab:a5:3b:53:7e:47:e0
Missing bit here is CA Issuers - URI:http://c.sk.ee/ESTEID-SK_2015.der.crt
Similarly the ESTEID-SK_2015.der.crt is intermediate signing certificate and its root is EE_Certification_Centre_Root_CA.pem from Estonia which is usually installed to Ubuntu already contrary to many other countries Root CA-s
Adding certificate to trusted list
I downloaded this certificate, verified that it is the correct, converted to better supported PEM format and verified that this is indeed to correct certificate.
$ openssl x509 -in ESTEID-SK_2015.der.crt -inform der -out ESTEID-SK_2015.pem.crt$ openssl verify -CAfile ESTEID-SK_2015.pem.crt 38112086027.cer
38112086027.cer: OK
First step of importing root certificate in Ubuntu is to make sure it is PEM and ends with .crt and copying to /usr/local/share/ca-certificates.
Second step is update-ca-certificates
$ sudo cp ESTEID-SK_2015.pem.crt /usr/local/share/ca-certificates
$ sudo update-ca-certificates
Updating certificates in /etc/ssl/certs...
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
Now you will see the certificate properly configured in /etc/ssl/certs, signing certificate trusted and also signature trusted.
$ openssl verify 38112086027.cer
38112086027.cer: OK
Possible problems
Openssl issues in version 1.1.1f
If you do same thing in Ubuntu 18.04 and Ubuntu 20.04 then you might see differences.
Ubuntu 18.04 current openssl version is
$ openssl version
OpenSSL 1.1.1 11 Sep 2018
In Ubuntu 20.04 the openssl version is newer. In fact preinstalled 1.1.1f is broken so in my machine I built newer version 1.1.1g from source and it is still not 100% good even though other issues there are better. Issue is upgrading from 1.1.1.e and 1.1.1.f causes openvpn connections using ssl to fail. #11456
Certificate permissions issue
It can happen that newly added certificate does not have read permissions for all users
139650177364416:error:0200100D:system library:fopen:Permission denied:../crypto/bio/bss_file.c:290:fopen('/usr/lib/ssl/certs/cceef5f6.0','r')
139650177364416:error:20074002:BIO routines:file_ctrl:system lib:../crypto/bio/bss_file.c:292:
139650177364416:error:0B06F002:x509 certificate routines:X509_load_cert_file:system lib:../crypto/x509/by_file.c:84:
In this case helps to add read permission to this certificate
$ sudo chmod +r /usr/local/share/ca-certificates/ESTEID-SK_2015.pem.crt
