# linux系统导入CA证书

A lot of tutorials and how-to guides can be found on the Internet regarding the creation of self-signed certificates, or even of your own certificate authority. While the tutorials are usually very good and pretty straightforward, for some reason they seem to leave out the instructions for actually deploying the CA certificates.

Although not all applications under GNU/Linux distributions respect this, the applications very often utilise the certificates located within the /etc/ssl/certs directory. The certificates themselves are usually installed through the ca-certificates package. In order to install the custom CA certificate and integrate it properly into the system so that most applications will be able to find it, several steps should be performed.

1. Make sure you have installed the ca-certificates package.

1.确认您的linux系统已经安装了ca-certificates软件包

Under Debian the package can be installed by issuing the following command:

$apt-get install ca-certificates Under Gentoo the package can be installed by issuing the following command: Gentoo系统可以采用如下命令安装:$ emerge -v ca-certificates

Under Fedora the package can be installed by issuing the following command:

Fedora系统可以采用如下命令安装:

\$ yum install ca-certificates

2. Make sure you have certificates in PEM format, with the .crt extension. For the purpose of this example the certificate file will be named Example Root.ca

2.确认您要安装的证书文件是PEM格式，后缀名是.crt。例如Root.ca

3. Create a subdirectory within the /usr/share/ca-certificates/ directory. For the purpose of this example the directory will be named example.com. Place the certificate authority certificate into this subdirectory.

3.建议在 /usr/share/ca-certificates/ 目录下创建单独的目录来保存您的CA证书文件。例如/usr/share/ca-certificates/example.com/Example Root.ca

4. Append a new line listing the relative path (to the /usr/share/ca-certificates/ directory) to the certificate you just copied to the file /etc/ca-certificates.conf. For the purpose of this example the line will be：

4.在 /etc/ca-certificates.conf文件中添加一行：您的证书文件去除 /usr/share/ca-certificates/ 目录后的相对路径。例如针对上面的例子，就只需要添加
example.com/Example Root.ca

5. Finally, run the update-ca-certificates command as root in order to have it regenerate the /etc/ssl/certs directory to reflect the new changes.

5.最后，用root权限运行update-ca-certificates 命令，它会重新收集证书并更新 /etc/ssl/certs/ca-certificates.crt文件

After these steps many utilities (like wget, for example) will be able to properly utilise the newly-installed certificate. Keep in mind that some applications do not use the certificates located withing the /etc/ssl/certs/ directory (like Firefox, or Thunderbird), and in these cases you'll have to import the certificate manually into each one of them.

01-13

03-16 6354
09-07 318
11-15 13万+
06-16 2万+
12-02 3340
03-09 6933
07-15 685
11-21 9623
09-27 853
04-15 1万+
04-29 2683
04-11 1万+
07-19 110
02-04 321
09-24 124