How to install CA certificates on RHEL 4 and RHEL 5 ?

Solution Verified - Updated

Environment

  • Red Hat Enterprise Linux 4
  • Red Hat Enterprise Linux 5

Issue

  • Need to install trusted CA certificate on RHEL4 and RHEL5

Resolution

We use update-ca-trust command in RHEL6 and RHEL7 to achieve this goal however this package is not available for RHEL4 and RHEL5 hence we'd have to update new CA certificate manually in the bundle file.

Refer following steps to achieve this:

RHEL4

  • Copy new CA certificate to a temporary location

  • Switch to /usr/share/ssl/certs directory: 

    # cd /usr/share/ssl/certs

  • Verify the new certificate 

    # openssl verify newcert.crt 
 CA/my-ca.crt: /C=IN/ST=Maharashtra/L=Pune/O=CA Inc./OU=Cert Authority/CN=example.local/emailAddress=admin@example.local
 error 18 at 0 depth lookup:self signed certificate
 OK

  • Take backup of existing bundle file

    # cp -a ca-bundle.crt{,.bak}

  • Patch the new certificate to CA bundle

    # cat  newcert.crt  >> ca-bundle.crt

  • Verify CA bundle and check the last section output for new certificate

    # openssl crl2pkcs7 -nocrl -certfile ca-bundle.crt | openssl pkcs7 -print_certs -text -noout

RHEL5

  • Copy new CA certificate to a temporary location

  • Switch to /etc/pki/tls/certs directory: 

    # cd /etc/pki/tls/certs

  • Verify the new certificate 

# openssl verify newcert.crt 
 CA/my-ca.crt: /C=IN/ST=Maharashtra/L=Pune/O=CA Inc./OU=Cert Authority/CN=example.local/emailAddress=admin@example.local
 error 18 at 0 depth lookup:self signed certificate
 OK

  • Take backup of existing bundle file

    # cp -a ca-bundle.crt{,.bak}

  • Patch the new certificate to CA bundle

    # cat  newcert.crt  >> ca-bundle.crt

  • Verify CA bundle and check the last section output for new certificate

    # openssl crl2pkcs7 -nocrl -certfile ca-bundle.crt | openssl pkcs7 -print_certs -text -noout

See also -- How to install CA Certificate on Red Hat Enterprise Linux 6/7 ?

Note

Red Hat Enterprise Linux 4 and 5 Reaches End of Production Phase and Transitions to Extended Life Phase. Refer following article.
FAQ: Red Hat Enterprise Linux 4 Reaches End of Production Phase and Transitions to Extended Life Phase
FAQ: Red Hat Enterprise Linux 5 Reaches End of Production Phase and Transitions to Extended Life Phase

Root Cause

update-ca-trust command is only available with the package ca-certificates which is not available for RHEL4 and RHEL5. So that we'd have to update new CA certificate manually in the bundle.

Diagnostic Steps

  • Verify existing CA certificates in CA bundle 

    # openssl crl2pkcs7 -nocrl -certfile ca-bundle.crt | openssl pkcs7 -
 print_certs -text -noout
SBR
Product(s)
Components
Category

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.