Making CA certificates available to Linux command-line tools

All of the well-known graphical web browsers ship with a collection of known and trusted Certificate Authority (CA) certificates, so when you visit a site with a certificate signed by one of those CA certificates, the browser also trusts the site. Otherwise, the browser steps through a series of warnings and options to add an exception after encouraging you to verify the certificate. There are also options to import additional CA certificates, such as those documented for Firefox.

Using CA certificates with command line utilities

CA certificates can be made available at the command line as well. A package included with many distributions, including Red Hat Enterprise Linux and Fedora, is called ca-certificates. This package is self-described as containing "the set of CA certificates chosen by the Mozilla Foundation for use with the Internet PKI." This package includes the same well-known CA certificates found in Firefox. It can be used by any CLI application that looks directly at the /etc/pki/ca-trust/extracted directory, along with the CLI applications that load one of the PKCS#11 trust modules.

Command-line utilities such as curl and wget can use these CA certificates to validate server certificates. Many tools provided with Red Hat Enterprise Linux also use these certificates, including for interactions with Red Hat support (redhat-support-tool), Red Hat OpenShift clusters (oc), and Red Hat Satellite 6 servers (hammer). Many other interactions with server API interfaces also use SSL/TLS and should validate the certificates offered.

With the ca-certificates package installed, I can use curl to view or download URL content from a site using a certificate signed by a well-known CA without error: 

$ curl https://access.redhat.com -o /tmp/sample

% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 103k 0 103k 0 0 339k 0 --:--:-- --:--:-- --:--:-- 337k

If I try to access an internal site that has a self-signed certificate (or a certificate signed by a CA that is not included with the ca-certificates package) I get a message saying the connection was refused because the certificate is not trusted:

$ curl https://somehost.internal-FQDN/

curl: (60) SSL certificate problem: self-signed certificate in certificate chain More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above.

Some documentation encourages a simple insecure connection for these internal and trusted sites. Curl can connect insecurely with the -k option:

$ curl -k https://somehost.internal-FQDN/

Or, if I have verified and downloaded my internal CA certificate, I can tell curl to verify the site with that certificate:

$ curl --cacert /path/to/cert-file https://somehost.internal-FQDN/

Other programs are similar. With the OpenShift and Origin tool for managing applications (oc), a connection to a default installed cluster may not recognize the generated, self-signed CA certificate that the cluster uses to sign other internal certificates. This issue includes a connection to CodeReady Containers:

$ oc login -u developer -p developer https://api.crc.testing:6443

The server uses a certificate signed by an unknown authority.

You can bypass the certificate check, but any data you send to the server could be intercepted by others. Use insecure connections? (y/n):

If you have a copy of the certificates, specify the client certificate with the --client-certificate="" option, or the CA certificate with the --certificate-authority="" option, when using the oc command.

Red Hat Satellite server and the CLI tool hammer work similarly, but the CA certificate can be specified at the command line or in the ~/.hammer/cli_config.yml file. The hammer command also has an option to import the Satellite CA certificate directly into the user's .hammer configuration directory:

$ hammer --fetch-ca-cert https://satellite.example.com

CA certificate for https://satellite.example.com was stored to 

..output omitted...

This command only makes the certificate available for the single user and would have to be repeated for each user on the system. To make the certificate available to all users on a system, the output of the hammer command even suggests using ca-certificates.

Updating ca-certificates to validate sites with an internal CA certificate

Instead of manually specifying the CA certificate with each command, we can add our internal CA certificates to the CA trust provided by the ca-certificates package. This package provides a directory structure in /etc/pki/ to manage the certificates and a command update-ca-trust to manage the "consolidated and dynamic configuration of CA certificates and associated trust:"

$ ls /etc/pki/ca-trust/ 
ca-legacy.conf extracted README source

$ ls /etc/pki/ca-trust/source 
anchors blacklist ca-bundle.legacy.crt README 

To add a certificate, download it, place it into the /etc/pki/ca-trust/source/anchors directory, and then run the command update-ca-trust. You will need to be root for these two tasks:

$ sudo curl http://satellite.example.com/pub/katello-server-ca.crt -o /etc/pki/ca-trust/source/anchors/satellite-ca.crt
$ sudo update-ca-trust

Once the update command is issued, the certificate is made available through the /etc/pki/ca-trust/extracted tree:

$ ls /etc/pki/ca-trust/extracted 
edk2 java openssl pem README

Applications that look to this directory to verify certificates can use any of the formats provided. The update command handles the copies, conversions, and consolidation for the different formats. The man page for update-ca-trust has more information about the directory structure, formats, and ways that certificates are accessed, but a quick way to list all of the certificate subjects in the bundle is with the following awk and openssl commands:

$ awk -v cmd='openssl x509 -noout -subject' '/BEGIN/{close(cmd)};{print | cmd}' < /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem

Now that I have added the CA certificate for my Satellite Server, I can use curl without any additional certificate options to access the API:

$ curl --request GET --user admin https://satellite.example.com/katello/api/organizations 

Enter host password for user 'admin': 

{ "total": 1, "subtotal": 1,

...output omitted...

The same is true for oc commands, hammer commands, and many other command-line applications. These utilities can use the certificates managed by ca-trust to validate your connections.

[Want to learn more about security? Check out the IT security and compliance checklist.]