Root CA certificates need to be added to your local trust list when working with PKI. We will examine how to add root CA certificate and optionally some intermediate certificates to the trust store.
First step of importing root certificate in Ubuntu is to make sure it is PEM format, ends with .crt and copying to /usr/local/share/ca-certificates.
Second step is running update-ca-certificates command
See more detailed info below
Signature and certificate debugging
Openssl is very handy tool for everything related to PKI, Digital Signatures and Certificates.
$ openssl verify 38112086027.cer C = EE, O = ESTEID, OU = digital signature, CN = "PALA,MARGUS,38112086027", SN = PALA, GN = MARGUS, serialNumber = 38112086027 error 20 at 0 depth lookup: unable to get local issuer certificate error 38112086027.cer: verification failed
Certificate was not verified and to make it trusted we need to import issuer CA and add it to local trust store. To resolve this issue then lets first examine signer certificate and find the Issuer CA certificate. For this I exported the certificate from my ID card and examined it with openssl.
$ openssl x509 -in 38112086027.cer -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 38:c9:bf:d0:94:7b:ce:2d:5a:02:b7:04:82:31:37:3d Signature Algorithm: sha256WithRSAEncryption Issuer: C = EE, O = AS Sertifitseerimiskeskus, organizationIdentifier = NTREE-10747013, CN = ESTEID-SK 2015 Validity Not Before: Nov 8 07:49:24 2017 GMT Not After : Oct 12 20:59:59 2022 GMT Subject: C = EE, O = ESTEID, OU = digital signature, CN = "PALA,MARGUS,38112086027", SN = PALA, GN = MARGUS, serialNumber = 38112086027 Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (384 bit) pub: 04:24:ee:a0:9a:84:86:60:6c:f9:58:07:99:8e:08: 04:c1:e0:cf:30:d6:47:07:8f:9f:82:fb:89:ca:fc: ff:d3:89:69:5a:56:ef:a0:2c:9a:51:2c:ab:67:32: 6b:8f:57:b2:26:02:cb:c1:93:b6:87:a4:fb:f6:1d: ff:75:bc:ca:a9:40:77:01:2f:2d:e3:89:1c:11:70: 20:e7:26:e3:4f:3f:41:f8:10:94:11:7b:59:0a:60: d1:b4:e9:ca:6b:08:28 ASN1 OID: secp384r1 NIST CURVE: P-384 X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: critical Non Repudiation X509v3 Certificate Policies: Policy: 188.8.131.52.4.1.10015.1.1 CPS: https://www.sk.ee/repositoorium/CPS Policy: 0.4.0.194112.1.2 X509v3 Subject Key Identifier: 50:3E:E0:D1:06:12:9F:B4:EF:98:C0:D6:06:9B:50:FB:74:C8:70:0F qcStatements: 0|0......F..0......F..0Q.....F..0G0E.?https://sk.ee/en/repository/conditions-for-use-of-certificates/..EN0......F..0......F... X509v3 Authority Key Identifier: keyid:B3:AB:88:BC:99:D5:62:A4:85:2A:08:CD:B4:1D:72:3B:83:72:47:51 Authority Information Access: OCSP - URI:http://aia.sk.ee/esteid2015 CA Issuers - URI:http://c.sk.ee/ESTEID-SK_2015.der.crt X509v3 CRL Distribution Points: Full Name: URI:http://www.sk.ee/crls/esteid/esteid2015.crl Signature Algorithm: sha256WithRSAEncryption 0b:0f:47:a4:bd:7f:27:99:f5:3f:26:0a:98:9d:b3:1e:ed:22: .... e6:ab:a5:3b:53:7e:47:e0
Missing bit here is CA Issuers – URI:http://c.sk.ee/ESTEID-SK_2015.der.crt
Similarly the ESTEID-SK_2015.der.crt is intermediate signing certificate and its root is EE_Certification_Centre_Root_CA.pem from Estonia which is usually installed to Ubuntu already contrary to many other countries Root CA-s
Adding certificate to trusted list
I downloaded this certificate, verified that it is the correct, converted to better supported PEM format and verified that this is indeed to correct certificate.
$ openssl x509 -in ESTEID-SK_2015.der.crt -inform der -out ESTEID-SK_2015.pem.crt
$ openssl verify -CAfile ESTEID-SK_2015.pem.crt 38112086027.cer 38112086027.cer: OK
First step of importing root certificate in Ubuntu is to make sure it is PEM and ends with .crt and copying to /usr/local/share/ca-certificates.
Second step is update-ca-certificates
$ sudo cp ESTEID-SK_2015.pem.crt /usr/local/share/ca-certificates $ sudo update-ca-certificates Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done. Running hooks in /etc/ca-certificates/update.d... done.
Now you will see the certificate properly configured in /etc/ssl/certs, signing certificate trusted and also signature trusted.
$ openssl verify 38112086027.cer 38112086027.cer: OK
Openssl issues in version 1.1.1f
If you do same thing in Ubuntu 18.04 and Ubuntu 20.04 then you might see differences.
Ubuntu 18.04 current openssl version is
$ openssl version OpenSSL 1.1.1 11 Sep 2018
In Ubuntu 20.04 the openssl version is newer. In fact preinstalled 1.1.1f is broken so in my machine I built newer version 1.1.1g from source and it is still not 100% good even though other issues there are better. Issue is upgrading from 1.1.1.e and 1.1.1.f causes openvpn connections using ssl to fail. #11456
Certificate permissions issue
It can happen that newly added certificate does not have read permissions for all users
139650177364416:error:0200100D:system library:fopen:Permission denied:../crypto/bio/bss_file.c:290:fopen('/usr/lib/ssl/certs/cceef5f6.0','r') 139650177364416:error:20074002:BIO routines:file_ctrl:system lib:../crypto/bio/bss_file.c:292: 139650177364416:error:0B06F002:x509 certificate routines:X509_load_cert_file:system lib:../crypto/x509/by_file.c:84:
In this case helps to add read permission to this certificate
$ sudo chmod +r /usr/local/share/ca-certificates/ESTEID-SK_2015.pem.crt