html
When working with RHEL7 systems, certificate management is handled through the ca-certificates package and the update-ca-trust framework. The certificate chain you're dealing with consists of:
- Root CA: VeriSign Class 3 Public Primary Certification Authority - G5 (typically pre-installed)
- Intermediate CA: Symantec Class 3 EV SSL CA - G3 (needs installation)
Before importing, ensure your cacertchain.crt has correct formatting:
-----BEGIN CERTIFICATE----- (Intermediate CA content) -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- (Root CA content) -----END CERTIFICATE-----
The correct procedure involves:
- Copy the file to the anchors directory:
sudo cp cacertchain.crt /etc/pki/ca-trust/source/anchors/
- Update the trust store:
sudo update-ca-trust extract
Check if the certificates were properly added:
openssl crl2pkcs7 -nocrl -certfile /etc/pki/tls/certs/ca-bundle.crt | openssl pkcs7 -print_certs -noout | grep "Symantec Class 3 EV SSL CA - G3"
If the trust framework doesn't work as expected, you can manually append to the bundle:
sudo cat cacertchain.crt >> /etc/pki/tls/certs/ca-bundle.crt sudo cp /etc/pki/tls/certs/ca-bundle.crt /etc/pki/tls/certs/ca-bundle.trust.crt
- Certificate not appearing: Ensure proper file permissions (644) on the .crt file
- Format errors: Validate with
openssl x509 -in cacertchain.crt -text -noout - System-wide vs user trust: For user-specific trust, use
~/.pki/nssdb
For large deployments, use this Ansible snippet:
- name: Install CA certificate chain
hosts: all
tasks:
- name: Copy certificate file
copy:
src: cacertchain.crt
dest: /etc/pki/ca-trust/source/anchors/
mode: 0644
- name: Update CA trust
command: update-ca-trust extract
When working with RHEL7 servers, properly importing CA certificate chains can be tricky - especially when dealing with intermediate certificates that aren't automatically recognized by the system's trust store. The standard approach of placing certificates in /etc/pki/ca-trust/source/anchors/ doesn't always work as expected with certificate chains.
Before making changes, always verify what's already in your trust store:
# Check if VeriSign root CA already exists
grep "VeriSign Class 3 Public Primary Certification Authority - G5" /etc/pki/tls/certs/ca-bundle.crt
# Check for Symantec intermediate
grep "Symantec Class 3 EV SSL CA - G3" /etc/pki/tls/certs/ca-bundle.crtFor certificate chains (especially those containing intermediates), we need to handle them differently than single certificates:
# 1. Copy the chain file to the correct location
sudo cp cacertchain.crt /etc/pki/ca-trust/source/anchors/
# 2. Convert the certificate chain to proper PEM format if needed
sudo openssl x509 -in /etc/pki/ca-trust/source/anchors/cacertchain.crt -out /etc/pki/ca-trust/source/anchors/cacertchain.pem -outform PEM
# 3. Update the trust store
sudo update-ca-trust extractIf the above doesn't work, try this more explicit method:
# 1. Create a new directory for custom certificates
sudo mkdir -p /etc/pki/ca-trust/source/custom-certs
# 2. Copy your chain there
sudo cp cacertchain.crt /etc/pki/ca-trust/source/custom-certs/
# 3. Enable the custom certs
sudo update-ca-trust enable
# 4. Extract the certificates
sudo update-ca-trust extractAfter installation, verify the certificates were properly added:
# Check the system-wide bundle
cat /etc/pki/tls/certs/ca-bundle.crt | grep -A 20 "Symantec Class 3 EV SSL CA"
# Or use openssl to verify
openssl verify -CAfile /etc/pki/tls/certs/ca-bundle.crt /path/to/your/certificate.crtIf you're still facing problems:
- Ensure the certificate chain is in correct order (leaf -> intermediate -> root)
- Check file permissions (should be readable by all users)
- Verify the certificates haven't expired
- Consider using
openssl crl2pkcs7for certain certificate formats
For enterprise environments, create a simple deployment script:
#!/bin/bash
# Deploy certificate chain to multiple RHEL7 servers
CERT_FILE="cacertchain.crt"
SERVERS=("server1" "server2" "server3")
for server in "${SERVERS[@]}"; do
scp $CERT_FILE root@$server:/tmp/
ssh root@$server "cp /tmp/$CERT_FILE /etc/pki/ca-trust/source/anchors/ && update-ca-trust extract"
done