Issue
Env:
Red Hat Enterprise Linux Server release 7.7 (Maipo)
# openssl version
OpenSSL 1.0.2g 1 Mar 2016
so a self-sign cert is generated using OpenSSL and the cacert.pem is put under /etc/pki/ca-trust/source/anchors/.
Now according to the man from update-ca-trust, the cmd should be run to add the cert into the trust store and the cert are to be added under /etc/pki/ca-trust/extracted/.
After running the said cmd, I see that the cert is added only to /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt. But most of the application like curl refer the OS ca trust at /etc/pki/ca-trust/extracted/openssl/ca-bundle.crt which is link to /etc/pki/tls/certs/ca-bundle.crt.
curl -v https://172.21.19.92/api
* About to connect() to 172.21.19.92 port 443 (#0)
* Trying 172.21.19.92...
* Connected to 172.21.19.92 (172.21.19.92) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
I understand that passing --cacert option would be a way to overcome it but I want to know why update-ca-trust only update ca-bundle-trust.crt and not ca-bundle.crt or the java Keystore extracted one as well /etc/pki/ca-trust/extracted/java/cacerts
Solution
The actual command that import certificates to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem is:
/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose server-auth $DEST/pem/tls-ca-bundle.pem
So the filters here are --filter=ca-anchors + --purpose server-auth. When you generate cert you have to add the purpose extendedKeyUsage=serverAuth explicitly:
openssl x509 -req -in $SRV_NAME.csr -CA $CA_NAME.crt -CAkey $CA_NAME.key -passin pass:"$PASS" -out $SRV_NAME.crt \
-days 3650 -CAcreateserial \
-extensions v3_ca \
-extfile <(echo "[v3_ca]"; echo "extendedKeyUsage=serverAuth"; echo "subjectAltName=$SRV_DNS_NAMES_TEXT,email:$SRV_EMAIL")
Answered By - gavenkoa Answer Checked By - Willingham (WPSolving Volunteer)