If you want to send or receive messages signed by root authorities and these authorities are not installed on the server, you must add a trusted root certificate manually.
Use the following steps to add or remove trusted root certificates to/from a server.
Mac OS X
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain ~/new-root-certificate.crt
sudo security delete-certificate -c “”
certutil -addstore -f “ROOT” new-root-certificate.crt
certutil -delstore “ROOT” serial-number-hex
Linux (Ubuntu, Debian)
Copy your CA to dir /usr/local/share/ca-certificates/
sudo cp foo.crt /usr/local/share/ca-certificates/foo.crt
Update the CA store:
Remove your CA.
Update the CA store:
sudo update-ca-certificates –fresh
Restart Kerio Connect to reload the certificates in the 32-bit versions or Debian 7.
Linux (CentOs 6)
Install the ca-certificates package:
yum install ca-certificates
Enable the dynamic CA configuration feature:
Add it as a new file to /etc/pki/ca-trust/source/anchors/:
cp foo.crt /etc/pki/ca-trust/source/anchors/
Restart Kerio Connect to reload the certificates in the 32-bit version.
Linux (CentOs 5)
Append your trusted certificate to file /etc/pki/tls/certs/ca-bundle.crt
cat foo.crt >> /etc/pki/tls/certs/ca-bundle.crt
A better method for CentOS 5 would be:
sudo yum install /usr/bin/c_rehash
sudo cp foo.crt /etc/pki/tls/certs/foo.pem
Giving Debian as an example. Install the
apt-get install ca-certificates
You then copy the public half of your untrusted CA certificate (the one you use to sign your CSR) into the CA certificate directory (as root):
cp cacert.pem /usr/share/ca-certificates
And get it to rebuild the directory with your certificate included, run as root:
and select the
ask option, scroll to your certificate, mark it for inclusion and select ok.
Most browsers use their own CA database, and so tools like
certutil have to be used to modify their contents (on Debian that is provided by the
libnss3-tools package). For example, with Chrome you run something along the lines of:
certutil -d sql:$HOME/.pki/nssdb -A -t "C,," -n "My Homemade CA" -i /path/to/CA/cert.file
Firefox will allow you to browse to the certificate on disk, recognize it a certificate file and then allow you to import it to Root CA list.
Most other commands such as
curl take command line switches you can use to point at your CA,
curl --cacert /path/to/CA/cert.file https://...
or drop the SSL validation altogether
curl --insecure https://...
The rest will need individual investigation if the
ca-certificates like trick does not sort it for that particular application.