[linux上路] 开发环境准备四 Debian8 导入CA证书

问题说明

邮件配置成POP3，但是在同步时发生SSL错误，意思是CA认证失败。根本的原因是系统中没有安装证书。

操作步骤

Although not all applications under GNU/Linux distributions respect this, the applications very often utilise the certificates located within the /etc/ssl/certs directory. The certificates themselves are usually installed through the ca-certificates package. In order to install the custom CA certificate and integrate it properly into the system so that most applications will be able to find it, several steps should be performed.

虽然不是所有的GNU/ Linux发行版都遵循这一点，但通常linux发行版都从/ etc / ssl下/ certs目录中读取证书。系统自带的证书通常是通过ca-certificates软件包安装的。为了安装自定义的CA证书，并妥善整合到系统中，让大多数应用程序能够找到它，我们这样做：

安装ca-certificates软件包

Make sure you have installed the ca-certificates package.确认您的linux系统已经安装了ca-certificates软件包

Under Debian the package can be installed by issuing the following command:类Debain系统(凡是使用apt包管理系统的发行版，如Ubuntu、linuxmint等)可以采用如下命令安装:

$ apt-get install ca-certificates

Under Gentoo the package can be installed by issuing the following command:Gentoo系统可以采用如下命令安装:

$ emerge -v ca-certificates

Under Fedora the package can be installed by issuing the following command:Fedora系统可以采用如下命令安装:

$ yum install ca-certificates

确认证书格式

Make sure you have certificates in PEM format, with the .crt extension. For the purpose of this example the certificate file will be named Example Root.ca.确认您要安装的证书文件是PEM格式，后缀名是.crt。例如Root.ca，我实际操作时证书的后缀名是.crt，不知道为什么英文版文档里说例如Root.ca

存放证书的路径

Create a subdirectory within the /usr/share/ca-certificates/ directory. For the purpose of this example the directory will be named example.com. Place the certificate authority certificate into this subdirectory.建议在 /usr/share/ca-certificates/ 目录下创建单独的目录来保存您的CA证书文件。例如/usr/share/ca-certificates/example.com/Example Root.ca

修改配置文件

Append a new line listing the relative path (to the /usr/share/ca-certificates/ directory) to the certificate you just copied to the file /etc/ca-certificates.conf. For the purpose of this example the line will be：在 /etc/ca-certificates.conf文件中添加一行：您的证书文件去除 /usr/share/ca-certificates/ 目录后的相对路径。例如针对上面的例子，就只需要添加
example.com/Example Root.crt

重新更新证书

Finally, run the update-ca-certificates command as root in order to have it regenerate the /etc/ssl/certs directory to reflect the new changes.最后，用root权限运行update-ca-certificates 命令，它会重新收集证书并更新 /etc/ssl/certs/ca-certificates.crt文件

$ update-ca-certificates 

结语

After these steps many utilities (like wget, for example) will be able to properly utilise the newly-installed certificate. Keep in mind that some applications do not use the certificates located withing the /etc/ssl/certs/ directory (like Firefox, or Thunderbird), and in these cases you’ll have to import the certificate manually into each one of them.至此，绝大多数程序就能访问您的新证书了。少数程序如Firefox、Thunderbird等不读取/etc/ssl/certs目录下的证书，则需要您在相关程序中去单独导入。

我实际操作的结果是这样配置完毕后Thunderbird就可以使用了。

证书格式转换 http://netkiller.github.io/cryptography/openssl/format.html