How to install a CA certificate on Red Hat Enterprise Linux 6

Environment

• Red Hat Enterprise Linux 6
• ca-certificates

Issue

• I purchased an SSL certicate and I have the CA bundle.

• When I try to verify the certificate, it fails with the error below.

  # openssl verify server.crt
  server.crt: C = US, O = Example Inc., CN = Example Inc. CA
  error 2 at 2 depth lookup:unable to get issuer certificate
  

Resolution

You need copies of the root and intermediary (if any) CA certificates, in PEM format. Repeat the process below for each one of them.

1. Install/update the latest ca-certificates package.

   # yum install ca-certificates
   

2. Enable the dynamic CA configuration feature by running:

   # update-ca-trust enable
   

3. Get a copy of the CA certificate (example-ca.crt in the examples below).

4. Copy the CA certificate to the directory /etc/pki/ca-trust/source/anchors/:

   # cp example-ca.crt /etc/pki/ca-trust/source/anchors/
   

5. Extract and add the CA certificate to the list of trusted CA's:

   # update-ca-trust extract
   

See also:

• How to install CA certificates on RHEL 4 and RHEL 5 ?
• How to install a CA certificate on Red Hat Enterprise Linux 7 and later

Root Cause

• CA certificates are handled via the system trust store in RHEL 6

Diagnostic Steps

• Check the list of trusted CA's

  (1)
  # openssl crl2pkcs7 -nocrl -certfile /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem | openssl pkcs7 -print_certs -noout
  (2)
  # openssl crl2pkcs7 -nocrl -certfile /etc/pki/tls/cert.pem | openssl pkcs7 -print_certs -noout
  

• Verify that the SSL certificate is signed by the CA:

  # openssl verify  server.crt 
  server.crt : OK
  

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.