{{tag>Brouillon HTTPS TLS PKI CA}} # Notes certs root CA Voir : curl ~~~ $ strace -f --trace=%file curl https://www.acme.fr 2>&1 |egrep -v 'ENOENT|/lib/' |grep ^open openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/etc/passwd", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/etc/ssl/certs/ca-certificates.crt", O_RDONLY) = 6 openat(AT_FDCWD, "/etc/localtime", O_RDONLY|O_CLOEXEC) = 6 ~~~ A voir si curl utilise la LIBNSS Test ~~~bash curl -v -s --noproxy '*' -D - https://127.0.0.1:443/some-secure-endpoint ~~~ Afficher les CA sous Debian ~~~bash awk -v cmd='openssl x509 -noout -subject' ' /BEGIN/{close(cmd)};{print | cmd}' < /etc/ssl/certs/ca-certificates.crt ~~~ Afficher les CA sous RedHat ~~~bash awk -v cmd='openssl x509 -noout -subject' ' /BEGIN/{close(cmd)};{print | cmd}' < /etc/pki/tls/certs/ca-bundle.crt ~~~ VĂ©rifier les CA ~~~bash openssl s_client -connect localhost:7000 -servername www.acme.fr -CAfile /tmp/cert.pem /dev/null | grep "^Certificate\[" -A11 | less csplit -z ca-bundle.crt /#/ '{*}' ~~~ Liste blanche / noire ~~~ # /etc/pki/ca-trust/source/whitelist/ # update-ca-trust ~~~ ~~~ # trust dump --filter "pkcs11:id=%BD%BD%98%7A%34%B4%26%F7%FA%C4%26%54%EF%03%BD%E0%24%CB%54%1B;type=cert" > /etc/pki/ca-trust/source/blacklist/addtrust-external-root.p11-kit # update-ca-trust extract # trust list | grep -C2 "AddTrust External" p11-kit: overriding trust for anchor in blacklist: addtrust-external-root.p11-kit pkcs11:id=%bd%bd%98%7a%34%b4%26%f7%fa%c4%26%54%ef%03%bd%e0%24%cb%54%1B;type=cert type: certificate label: AddTrust External Root trust: blacklisted category: authority ~~~ Sauvegarde PKI RedHat ~~~bash # Sauvegarde cp -a /etc/pki /etc/pki.bak # Restore rsync -ax --delete /etc/pki.bak/ /etc/pki/ ~~~ Remove a CA certificate ~~~bash trust anchor --remove pkcs11:id=%15%FF%08%56%E0%6C%64%24%D0%56%70%91%87%8A%2B%2C%C6%5C%DD%34;type=cert # ou trust anchor --remove path.to/certificate.crt ~~~ or ~~~bash rm /etc/pki/ca-trust/source/anchors/ update-ca-trust ~~~ ### split the bundle into individual certificates Source : https://www.redhat.com/sysadmin/configure-ca-trust-list Cut bundle into individual files: ~~~bash csplit -z ca-bundle.crt /#/ '{*}' ~~~ Remove blank lines: ~~~bash sed -i '/^$/d' xx* ~~~ Rename files: ~~~bash for file in xx*; do mv $file $(head -n 1 $file | tr -d \#" "); done ~~~ ## Ajouter une CA Voir : * https://www.redhat.com/en/blog/ca-certificates-cli ~~~bash curl http://satellite.example.com/pub/katello-server-ca.crt -o /etc/pki/ca-trust/source/anchors/satellite-ca.crt update-ca-trust ~~~ ## Autres ~~~ # # rpm -ql ca-certificates # rpm -q --filesbypkg ca-certificates |awk '/bin\// { print $2}' /usr/bin/ca-legacy /usr/bin/update-ca-trust ~~~