On a Debian 9 machine, to add a CA certificate to the OpenSSL
store, execute the commands below, replacing
CA_CERT with the filename of a given
CA certificate (e.g.,
Acme_Incorporated_Cert.pem). Note that it
is a requirement that files in the /usr/share/local/share/ca-certificates
directory have a .crt
file extension in order to be implicitly trusted. Note that a
-f or --fresh option to
command update-ca-certificates will
completely refresh symbolic links under directory /etc/ssl/certs.
CA_CERT='CA_CERT'
CA_CERT_CRT="$(basename -- "${CA_CERT}" .pem).crt"
sudo \
-- \
install \
--mode u=rwX,go=rX \
-- \
"${CA_CERT}" \
"/usr/local/share/ca-certificates/${CA_CERT_CRT}"
sudo update-ca-certificates
On a Mac OS machine with the Homebrew package manager, to add a
CA certificate to the OpenSSL store, execute the commands
below, replacing CA_CERT with the
filename of a given CA certificate (e.g.,
Acme_Incorporated_Cert.pem). Note that
this is a very generic way to add a CA certificate to an
OpenSSL certificate store. Note that it is customary for
Homebrew to be installed and managed by a non-root user.
CA_CERT='CA_CERT'
CERTS_DIR="$(
openssl \
version \
-d |
sed 's/^OPENSSLDIR: "//;s/"$//'
)/certs"
CA_CERT_HASH="$(
openssl \
x509 \
-hash \
-noout \
-in "${CA_CERT}"
)"
install \
--mode u=rwX,go=rX \
-- \
"${CA_CERT}" \
"${CERTS_DIR}/${CA_CERT}"
ln \
-sf \
"${CA_CERT}" \
"${CERTS_DIR}/${CA_CERT_HASH}.0"