http://kb.kerio.com/product/kerio-connect/server-configuration/ssl-certificates/adding-trusted-root-certificates-to-the-server-1605.html
Overview
If you want to send or receive messages signed by root authorities and these authorities are not installed on the server, you must add a trusted root certificate manually.
Use the following steps to add or remove trusted root certificates to/from a server.
Mac OS X
Add
Use command:
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain ~/new-root-certificate.crt
Remove
Use command:
sudo security delete-certificate -c “”
Windows
Add
Use command:
certutil -addstore -f “ROOT” new-root-certificate.crt
Remove
Use command:
certutil -delstore “ROOT” serial-number-hex
Linux (Ubuntu, Debian)
Add
Copy your CA to dir /usr/local/share/ca-certificates/
Use command:
sudo cp foo.crt /usr/local/share/ca-certificates/foo.crt
Update the CA store:
sudo update-ca-certificates
Remove
Remove your CA.
Update the CA store:
sudo update-ca-certificates –fresh
Restart Kerio Connect to reload the certificates in the 32-bit versions or Debian 7.
Linux (CentOs 6)
Add
Install the ca-certificates package:
yum install ca-certificates
Enable the dynamic CA configuration feature:
update-ca-trust enable
Add it as a new file to /etc/pki/ca-trust/source/anchors/:
cp foo.crt /etc/pki/ca-trust/source/anchors/
Use command:
update-ca-trust extract
Restart Kerio Connect to reload the certificates in the 32-bit version.
Linux (CentOs 5)
Add
Append your trusted certificate to file /etc/pki/tls/certs/ca-bundle.crt
cat foo.crt >> /etc/pki/tls/certs/ca-bundle.crt
A better method for CentOS 5 would be:
sudo yum install /usr/bin/c_rehash
sudo cp foo.crt /etc/pki/tls/certs/foo.pem
sudo c_rehash
Giving Debian as an example. Install the ca-certificates
package:
apt-get install ca-certificates
You then copy the public half of your untrusted CA certificate (the one you use to sign your CSR) into the CA certificate directory (as root):
cp cacert.pem /usr/share/ca-certificates
And get it to rebuild the directory with your certificate included, run as root:
dpkg-reconfigure ca-certificates
and select the ask
option, scroll to your certificate, mark it for inclusion and select ok.
Most browsers use their own CA database, and so tools like certutil
have to be used to modify their contents (on Debian that is provided by the libnss3-tools
package). For example, with Chrome you run something along the lines of:
certutil -d sql:$HOME/.pki/nssdb -A -t "C,," -n "My Homemade CA" -i /path/to/CA/cert.file
Firefox will allow you to browse to the certificate on disk, recognize it a certificate file and then allow you to import it to Root CA list.
Most other commands such as curl
take command line switches you can use to point at your CA,
curl --cacert /path/to/CA/cert.file https://...
or drop the SSL validation altogether
curl --insecure https://...
The rest will need individual investigation if the ca-certificates
like trick does not sort it for that particular application.