While Ubuntu/Debian systems have straightforward update-ca-certificates, CentOS/RHEL handles trust stores differently through the ca-certificates package and OpenSSL's certificate store at /etc/pki/ca-trust/.
# 1. Place your CA cert in the trusted sources directory sudo cp internal-ca.crt /etc/pki/ca-trust/source/anchors/ # 2. Update the CA trust store sudo update-ca-trust extract # 3. Verify the certificate was added openssl x509 -in /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem -text | grep "Your CA Name"
For cURL and Git Clients
If system-wide installation isn't possible:
# cURL specific configuration echo "cacert = /path/to/internal-ca.crt" >> ~/.curlrc # Git SSL verification override git config --global http.sslCAInfo /path/to/internal-ca.crt
Docker Containers
For containers based on CentOS images:
FROM centos:7 COPY internal-ca.crt /etc/pki/ca-trust/source/anchors/ RUN update-ca-trust extract
Test the certificate chain:
openssl s_client -connect internal-server:443 -CAfile /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
Common issues to check:
- Certificate file permissions (should be 644)
- Proper PEM format (BEGIN/END CERTIFICATE markers)
- Complete certificate chain in the file
For large deployments, use this Ansible playbook snippet:
- name: Install internal CA certificate
hosts: all
tasks:
- name: Copy CA cert
copy:
src: internal-ca.crt
dest: /etc/pki/ca-trust/source/anchors/
mode: 0644
- name: Update CA trust
command: update-ca-trust extract
CentOS 6 vs 7/8 differences:
| CentOS 6 | CentOS 7/8 |
|---|---|
/etc/pki/tls/certs/ca-bundle.crt |
/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem |
| Manual hash symlinks required | update-ca-trust handles hashing |
When dealing with internal certificate authorities on CentOS/RHEL systems, the standard certificate store location is /etc/pki/ca-trust/source/anchors/ for PEM-encoded certificates. This differs from Ubuntu's /usr/local/share/ca-certificates/ approach and requires additional trust chain management.
First, copy your CA certificate to the trust anchors directory:
sudo cp your-ca.crt /etc/pki/ca-trust/source/anchors/
Then update the trust store (this handles hash generation automatically):
sudo update-ca-trust
Check if your CA was properly imported:
trust list | grep -A2 "Your CA Name"
For programmatic verification with OpenSSL:
openssl verify -CApath /etc/ssl/certs/ /path/to/your-cert.crt
For Git to respect system certificates:
git config --global http.sslCAInfo /etc/pki/tls/certs/ca-bundle.crt
For curl (either use system bundle or specify directly):
curl --cacert /etc/pki/tls/certs/ca-bundle.crt https://internal-site
If certificates still aren't trusted:
- Verify certificate encoding:
file your-ca.crtshould show PEM or DER - Check symlinks were created:
ls -l /etc/pki/tls/certs/ | grep your-ca - Test with openssl:
openssl s_client -connect internal-site:443 -CApath /etc/ssl/certs/
For legacy systems that don't support update-ca-trust:
# Generate hash
HASH=$(openssl x509 -noout -hash -in your-ca.crt)
# Create symlink
sudo ln -s /etc/pki/ca-trust/source/anchors/your-ca.crt /etc/pki/tls/certs/${HASH}.0