How to update a CA certificate on Red Hat Enterprise Linux 7 and later

Environment

• Red Hat Enterprise Linux 7, 8, 9 and 10
• ca-certificates

Issue

• I purchased an SSL certicate and I have the CA bundle. When I try to verify the certificate, it fails with the error below:

  # openssl verify server.crt
  server.crt: C = US, O = Example Inc., CN = Example Inc. CA
  error 2 at 2 depth lookup:unable to get issuer certificate
  

• How do I add CA certificate to trusted root certificates?

Resolution

There are two methods to use update-ca-trust or trust anchor on the command line.

You need copies of the root and intermediary (if any) CA certificates, in PEM format. Repeat the process below for each one of them.

Method 1 (Using update-ca-trust):

1. Copy the CA certificate (example-ca.crt in the examples below) to the directory /etc/pki/ca-trust/source/anchors/:

   # cp example-ca.crt /etc/pki/ca-trust/source/anchors/
   

2. Extract a CA certificate to the list of trusted CA's:

   # update-ca-trust
   

3. If you want to remove the CA certificate, remove example-ca.crt from /etc/pki/ca-trust/source/anchors then run update-ca-trust again.

Method 2 (Using trust anchor):

1. Run trust anchor --store by specifying the CA certificate (example-ca.crt in the examples below):

   # trust anchor --store example-ca.crt
   

2. Check the list of trusted CA's and verify the server certificate that signed by the CA:

   # trust list
   pkcs11:id=%53%ca%17%59%fc%6b%c0%03%21%2f%1a%ae%e4%aa%a8%1c%82%56%da%75;type=cert
   type: certificate
   label: Example Inc. RSA CA 2023
   trust: anchor
   category: authority
   ..snip..
   

3. If you want to remove the CA certificate, run trust anchor --remove. For example,

   # trust anchor --remove pkcs11:id=%53%ca%17%59%fc%6b%c0%03%21%2f%1a%ae%e4%aa%a8%1c%82%56%da%75
     or
   # trust anchor --remove /etc/pki/ca-trust/source/Example_Inc_2023.p11-kit
   

Appendix

See also:

• How to install CA certificates on RHEL 4 and RHEL 5 ?
• How to install a CA certificate on Red Hat Enterprise Linux 6

Root Cause

• CA certificates are handled via the system trust store in RHEL 7 and later.

Diagnostic Steps

• Verify that the SSL certificate is signed by the CA:

  # openssl verify  server.crt 
  server.crt : OK
  

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.