he simple answer to this is that pretty much each application will handle it differently.
Also OpenSSL and GNUTLS (the most widely used certificate processing libraries used to handle signed certificates) behave differently in their treatment of certs which also complicates the issue. Also operating systems utilize different mechanisms to utilize “root CA” used by most websites.
That aside, giving Debian as an example. Install the
apt-get install ca-certificates
You then copy the public half of your untrusted CA certificate (the one you use to sign your CSR) into the CA certificate directory (as root):
cp cacert.pem /usr/share/ca-certificates
And get it to rebuild the directory with your certificate included, run as root:
and select the
ask option, scroll to your certificate, mark it for inclusion and select ok.
Most browsers use their own CA database, and so tools like
certutil have to be used to modify their contents (on Debian that is provided by the
libnss3-tools package). For example, with Chrome you run something along the lines of:
certutil -d sql:$HOME/.pki/nssdb -A -t "C,," -n "My Homemade CA" -i /path/to/CA/cert.file
Firefox will allow you to browse to the certificate on disk, recognize it a certificate file and then allow you to import it to Root CA list.
Most other commands such as
curl take command line switches you can use to point at your CA,
curl --cacert /path/to/CA/cert.file https://...
or drop the SSL validation altogether
curl --insecure https://...
The rest will need individual investigation if the
ca-certificates like trick does not sort it for that particular application.
For use in a non-interactive context (e.g. a chef recipe) you can use the following sequence:
Based on http://blog.sandipb.net/2009/08/08/adding-new-ca-certificates-in-ubuntu-jaunty/, you can do the following sequence that doesn’t need interactive selection:
sudo cp my.cert /usr/local/share/ca-certificates/ sudo update-ca-certificates
tested and works on debian 5/6.