Collectives™ on Stack Overflow

Find centralized, trusted content and collaborate around the technologies you use most.

Teams

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

not a certificate expert but have gone through different resources on the internet but couldn't get this to work, so posting here.

I have a cert that I would like to include in /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem

OS details:

Let's say this cert is xx_exp_2023_11_30.cer .

So, I have copied it to /etc/pki/ca-trust/source/anchors/ and then run

update-ca-trust force-enable 
update-ca-trust extract
and none of them throw me an error.
as per this link, I have also done this check
openssl x509 -noout -text -in xx_exp_2023_11_30.cer | grep --after-context=2 "X509v3 Basic Constraints" | grep "CA:TRUE"
but yet I do not see the contents being included in
/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
i.e. cat tls-ca-bundle.pem | grep <first few characs of the certfile> yields nothing. The same grep command yields results for other cert files copied over to
/etc/pki/ca-trust/source/anchors/
I also went through this link, to understand if my cert is the in the right folder (source vs anchor), and since it is in .cer format it seems it should be anchor folder.
What am I missing or doing wrong?
Update 1:
I can see that cert I am trying to add lands up in /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt but not in /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem. This is also highlighted in the answer from Jeight here. But I do not know why not in the other location and my application (which is trying to connect) fails because of cert chain errors, so probably that is looking at /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem. Why does it end up in one and not in the other? And also, what is the difference between these?
Update 2:
I read that the ones which end up in the openssl subfolder are the ones which are BEGIN TRUSTED CERTIFICATE
But mine is of the format BEGIN CERTIFICATE. So, not sure why is it landing up in the openssl subfolder and not in the pem subfolder.
UPDATE 3
As asked in the comment, below is the output of
openssl x509 -noout -text -in xx_exp_2023_11_30.cer
I have anonymized some contents with xx (or something or bla bla)
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            ser num
        Signature Algorithm: encrytpion
        Issuer: O = XX, CN = TST-XX
        Validity
            Not Before: Nov 30 05:46:42 2021 GMT
            Not After : Nov 30 05:46:42 2023 GMT
        Subject: CN = xx.tst2.dom
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    something
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage:
                Digital Signature, Key Encipherment
            something:
                0-.%+blabla
            X509v3 Subject Key Identifier:
                Something
            X509v3 Authority Key Identifier:
                keyid:Something
            X509v3 CRL Distribution Points:
                Full Name:
                  URI:http://address.crl
            Authority Information Access:
                CA Issuers - URI:http://address.crt
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
            xxxxx:
..+.......
            X509v3 Subject Alternative Name:
                DNS:dnslist
    Signature Algorithm: sha256WithRSAEncryption
         ......
                The difference between /etc/pki/ca-trust/extracted/{openssl/ca-bundle.trust.crt,pem/tls-ca-bundle.pem} is explained in the last two paragraphs of the section EXTRACTED CONFIGURATION of the man page. AFAICT a cert you put in source/anchors should be trusted for all purposes -- and included in pem/tls-ca-bundle.pem. Maybe p11-kit (now moved to trust) is looking at EKU: does your openssl x509 -noout -text display include a pair of lines for x509v3 Extended Key Usage: and if so does the second line NOT include TLS Web Server Authentication? (But this is not programming or development.)
– dave_thompson_085
                Mar 31 at 12:39
                Thanks for responding, I have updated the question with a section called UPDATE 3, with results of what you asked for. There is a section for TLS Web Server Authentication, towards the end. I hope that provides answer to your question.
– Saugat Mukherjee
                Mar 31 at 12:56
                You mean a (small) section for Extended Key Usage containing Web Server Auth (in the value). Okay, that part is valid and shouldn't be a problem. However I see there  are two extensions that OpenSSL apparently couldn't decode -- that might be because they are nonstandard, and it might be because they are encoded wrong. One of those, especially the latter, might be a problem for p11-kit; I don't know and without specific details I can't test. If you have support from RedHat you should be able to open a case with them where no one else can see your so-private data.
– dave_thompson_085
                Apr 3 at 11:02
        
Thanks for contributing an answer to Stack Overflow!
Please be sure to answer the question. Provide details and share your research!
But avoid …
Asking for help, clarification, or responding to other answers.
Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.