Import a certificate into Linux
Import a CA certificate into the certificate keystore of a Linux machine
The importcert.py script can be used to import a certificate into the keystore of a Linux machine in order to authenticate TLS communications.
Note
These optional steps need not be completed before importing the certificate, but they must be completed before testing the certificate.
Use one of the following methods to import a certificate:
Open a terminal window.
In the terminal window, navigate to the FairCom Certificate Management program at
<faircom>/tools/certman/Execute
sudo python importcert.pyThe script will detect the key-pair you previously created and ask:
Would you like to import the certificate at Certs\Expires_On_2034-08-12\ca.crt?If you respond "yes", you will be prompted to "Press ENTER to proceed".
user@linuxvm:~$ sudo python importcert.py Welcome to FairCom's Certificate Import Utility For help, run this program with the '-h' option. Would you like to import the certificate at Certs/Expires_On_2034-08-12/ca.crt? yes Press ENTER to proceed. Press x, to exit without any changes. Updating certificates in /etc/ssl/certs... 0 added, 0 removed; done. Running hooks in /etc/ca-certificates/update.d... Processing triggers for ca-certificates-java (20240118) ... done. done. Press ENTER to exit
If you respond "no", you will be prompted for the filename to import.
user@linuxvm:~$ sudo python importcert.py Welcome to FairCom's Certificate Import Utility For help, run this program with the '-h' option. Would you like to import the certificate at Certs/Expires_On_2034-08-12/ca.crt? no Enter the location of an x509 CA certificate (or 'x' to exit): ./Certs/Expires_On_2034-08-12/ca.crt Press ENTER to proceed. Press x, to exit without any changes. Updating certificates in /etc/ssl/certs... 0 added, 0 removed; done. Running hooks in /etc/ca-certificates/update.d... Processing triggers for ca-certificates-java (20240118) ... done. done. Press ENTER to exit
The import was successful and the certificate was added to the keystore.
Note
Manually importing the certificate is only needed if the FairCom importcert.py script is not used.
Install the CA Certificates package if needed:
sudo apt-get install -y ca-certificatesCreate a new directory named
user-certificatesunder/usr/local/share/ca-certificates/Perform
chmod 755on the target directory.Copy the certificate file into the target directory.
Perform
chmod 644on the target file.Perform
update-ca-certificates
The import was successful and the certificate was placed in the certificate keystore.
After the file has been imported, it can be verified using
ls -l /etc/ssl/certs | grep ca.crt
user@linuxvm:~$ ls -l /etc/ssl/certs | grep ca.crt lrwxrwxrwx 1 root root 57 Aug 13 11:42 ca.pem -> /usr/local/share/ca-certificates/user-certificates/ca.crt
If you have openSSL installed you can validate using
openssl verify -CAfile /etc/ssl/certs/ca-certificates.crt ca.crt
user@linuxvm:~$ openssl verify -CAfile /etc/ssl/certs/ca-certificates.crt ca.crt ca.crt: OK
Python version 3.7 and later can access the OS certificate keystore. This support may be library-dependent. Follow these steps to test with the "requests" library
Install the
pip-system-certspackage:pip install pip-system-certs
Run these two lines of code (change 127.0.0.1 to the address of your server):
import requests print( requests.Session().post( "https://127.0.0.1:8443/api", data = '{"api": "admin","action": "pingSession"}' ).json() )A successful run shows the following:
{'errorCode': 0, 'errorMessage': ''}