1. Introduction
Over the years, the realm of secure communication has evolved significantly, offering different methods to safeguard our data exchanges. Public Key Infrastructure (PKI) stands out as a prominent technology, often paired with HTTPS (SSL/TLS) to ensure secure data transmission. Digital certificates play a pivotal role in carrying out this secure interaction.
In this tutorial, we’ll explore the procedure for adding, removing, and updating CA certificates.
2. Trust Store
CA certificates help us identify and trust other parties. When a third party sends a certificate, the client who receives it validates the certificate.
First, the client retrieves the public key of that particular CA who has signed the certificate, from its trust store. It then decrypts the signature present in the third party’s certificate to obtain a hash value.
Next, the client independently calculates the hash using the client certificate data and compares it with the decrypted hash value. If it matches, the third party can be trusted. Typically, certificate verification happens in this manner.
This emphasizes the significance of the CA certificate’s legitimacy. We need to be extremely careful while adding a CA certificate to our trust store.
There could be different entities that we may want to connect to. They all will have digital certificates, but they might be signed by different CAs. Thus, we should also keep CA certificates from all possible CAs. And this becomes our trust store.
As we know, all certificates have a validity period, after which they are considered invalid for any transaction. As a result, we’ll need to update or remove certificates from our trust store. Typically, CA certificates have a longer validity period, so we don’t have to do this very often.
3. Managing CA Certificates
To add a CA certificate, we need the certificate file. PEM is one common format in which we receive a certificate file. This has the ‘—-BEGIN CERTIFICATE—-‘ tag in it.
First, we need to copy the file to the trust store, and then, we have to update the trust store.
Various distributions handle this differently. Let’s look at the procedure for Debian and Red Hat distributions.
3.1. Debian Distributions
In Debian-based distributions, certificate management is done using the update-ca-certificates command. This command gathers certificates from different folder locations and combines them into a single file.
We can find the combined file stored at /etc/ssl/certs/ca-certificates.crt. This makes it convenient for other applications to use this concatenated file to obtain all the available CA certificates in the system.
The update-ca-certificates command searches for CA certificates in two locations:
- /usr/share/ca-certificates
- /usr/local/share/ca-certificates
To add a certificate, we can copy the CA certificates to one of these locations with the cp command, and run the update-ca-certificates command:
$ sudo cp cacert.crt /usr/local/share/ca-certificates/
$ sudo update-ca-certificatesFor updating the certificate, we can replace the old certificate with a new one at the location where we initially placed it. If we need to remove a certificate, we would simply delete the certificate file.
Whenever we make changes to these folders, we have to run the update-ca-certificates command to update the trust store.
In case we find symlinks to old or non-existent files, we’ll need to run the command with -f option to freshen the trust store.
3.2. Red Hat Distributions
For Red Hat-based distributions, the procedure remains almost the same — just the command and location to place the certificates differ. Here, the update-ca-trust command helps us manage the CA certificates in the system.
When we run the command, it searches two locations for CA certificates:
- /usr/share/pki/ca-trust-source/ – low priority
- /etc/pki/ca-trust/source/ – high priority
The CA certificates placed at the low-priority location can be overridden by the admin. This can be done by copying a different certificate to the high-priority location. When there is a clash in the certificates, the one in the high-priority location is given precedence.
There are two main subfolders in this path:
- anchors – holds the trusted certificates
- blacklist – holds the rejected certificates
Now that we know where to store our certificates, we can run the update-ca-trust command to aggregate the new certificates to the trust settings. We can either remove the certificate file or copy a new one and run the update-ca-trust command to revoke or update a certificate.
In case we need to prepare the consolidated file, we can run the command with the extract option.
4. Conclusion
In this article, we’ve seen the role that CA certificates play in carrying out a secure transaction. We’ve also learned what constitutes a trust store and how to update the trust store by adding, updating, and removing CA certificates in both Debian and Red Hat distributions.