Adding Root CA Certificates For Use By NSS Applications?
I’m trying to get a third party application to use the root CA
certificate of an SSL proxy – but can’t work out how to install the cert for use by all users on CentOS 7
I have the proxy vendor’s supplied CA cert in PEM format
I can install the cert in a user’s home directory using ‘certutil’ – and the application works OK – but I would like to do ‘something’ to install this cert somewhere central that will be picked up by all users
After a bit of Googling, I’ve found that by default, EL7 uses
‘p11-kit-trust.so’ (from the p11-kit-trust package) as a drop-in replacement for the nss supplied ‘libnssckbi.so’ (via ‘alternatives’) –
which, I believe, should be able to pick up CA certs installed under
/etc/pki/ca-trust/source/anchors/
Strace’ing the app, I can see it reading the files under
/etc/pki/ca-trust/source/… including the required CA cert – but the app fails to connect – but I have no idea what might be wrong …
Am I missing something obvious here?
Is there an easier way to achieve what I want?
Thanks
James Pearson
Recent Comments