Trusting a server certificate manually

Software PureOS
1

I want to add a certificate to the local security store on PureOS, so that it is trusted by applications. How do I do that?

I tried copying the certificate to /usr/local/share/ca-certificates/ and ran sudo dpkg-reconfigure ca-certificates per a suggestion for Debian. I also tried copying it to /etc/ssl/certs/ and running sudo update-ca-certificates. Here is a sample output:

$ sudo dpkg-reconfigure ca-certificates
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Processing triggers for ca-certificates (20210119) ...
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...

Does PureOS manage the certificates in some special way in comparison to Debian, or I do it wrong?

The certificate was obtained by copying from openssl output as described for an XMPP server. The idea is to trust the hosting server certificate for a custom XMPP server domain, so that it could be used in Dino. Dino does not provide a way to trust the certificate manually and does not support PKIX over HTTP yet (see issue #451 on the Dino’s GitHub). I wasn’t able to receive files with Chatty when they are shared via file upload, so I hoped to use Dino for that. This is on a Librem 5 device.

1 Like
2

StackExchange isn’t the official Debian docs though, so the information might be misleading.

Now I haven’t found the exact debian docs page for this but I have the following findings:

  1. running dpkg-reconfigure ca-certificates has some interactive output, and only talks about certificates in /usr/share/ca-certificates; nothing about /usr/local/share/ca-certificates

  2. the manpage for the script, update-ca-certificates, contained in the above package however, does mention both paths: update-ca-certificates(8) — ca-certificates — Debian buster — Debian Manpages

And indeed, if I put a .crt file in /usr/local/share/ca-certificates (mine was empty so it errored out…):

$ sudo update-ca-certificates 
Updating certificates in /etc/ssl/certs...
rehash: warning: skipping test.pem,it does not contain exactly one certificate or CRL
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...

Warning: there was a problem reading the certificate file /etc/ssl/certs/test.pem. Message:
  Could not parse certificate: java.io.IOException: Empty input
done.
done.

It seems like that script is what you want to run

2 Likes