ArchiveAbout

Kyle Pericak

"It works in my environment"

Created: 2020-01-08Updated: 2020-01-08

Ubuntu: Blindly Trusting the Corporate CA

Category:systems administrationTags:ubuntuhttps;
Trusting a CA-signed certificate from a companies firewall on Ubuntu

Note: This is usually a bad idea. You should really get the team who runs the CA to send you the certificate in case some bad guy is doing the MITM and not the local security team. Use this procedure with caution.


Get the signing certificate

Use openssl to print the certificate data.

openssl s_client -connect google.com:443 -showcerts

In the output you'll see, among other things, some certificates. They look like this:

-----BEGIN CERTIFICATE-----
blaBLAbla
-----END CERTIFICATE-----

Find the one signed by your local CA. Copy and paste it into a new file, such as example.com.crt. The .crt file extension is required. Don't copy anything before or after the BEGIN and END lines.


Trust the certificate

As root, move the certificate file to /usr/local/share/ca-certificates, then run update-ca-certificates.

mv example.com.crt /usr/local/share/ca-certificates
update-ca-certificates

That's it. Now your system will trust certs signed by that CA too.

Tags
ansible
Blog code last updated on 2024-02-18: 5ab386de2324c1884556552d0f043a42f2f726ab