On Wed, Dec 13, 2023 at 9:58 PM Pocket <[email protected]> wrote: > > On 12/13/23 21:47, Jeffrey Walton wrote: > > On Wed, Dec 13, 2023 at 7:55 PM Pocket <[email protected]> wrote: > >> What formats does certs need to be to work with update-ca-certificates? > >> > >> PEM or DER? > > PEM > > Ok since I am using an intermediate cert to sign, I am creating a > combined PEM with the root CA and the intermediate cert like this > > cat "$directory"/certs/intermediate.cert.pem > "$ca_directory"/certs/ca.cert.pem > "$directory"/certs/ca-chain.cert.pem > > Will that work or does the cert have to be a single cert?
I don't recall. I use one file for each certificate. Oh, and the file extension should be *.crt, not *.pem. > >> I have just finished writing some scripts to generate certs for my email > >> server and nginx server. > >> > >> [...] > >> Will pem format type certs work? > > Yes. > > > > You should also place the certificates in > > /usr/local/share/ca-certificates . Make the directory if it does not > > exist. And then run update-ca-certificates from the directory. > > That sub directory does indeed exist, so I need to run > update-cert-certificates from > > /usr/local/share/ca-certificates or can I just run update-cert-certificates > as root? I don't recall. I run update-ca-certificates from /usr/local/share/ca-certificates as root. You might also be interested in update-ca-certificates(8) at <https://manpages.debian.org/buster/ca-certificates/update-ca-certificates.8.en.html>, and OpenSSL's c_rehash at <https://github.com/openssl/openssl/blob/master/tools/c_rehash.in>. In the past, I believe update-ca-certificates relies upon c_rehash for some operations. Jeff
