Adding Root Certificate

General
1

I need to add a root certificate foo.crt (not its real name).
It works on my Ubuntu system and the following looks valid.

openssl x509 -in ./foo.crt -text -noout

I am trying to add it using:

> sudo trust anchor ./foo.crt
p11-kit: couldn't create object: The field is read-only
p11-kit: 1 error while processing

When I try:

sudo cp ./foo.crt /etc/pki/ca-trust/source/anchors
sudo update-ca-trust

I get no errors from that, but when I try to verify other certs created using that root cert.

openssl verify ./bar.pem
C=US, ST=Tennessee, L=Nashville, O=Vanderbilt University, OU=Institute for Software Integrated Systems, CN=bar, emailAddress=fred.eisele@vanderbilt.edu
error 20 at 0 depth lookup: unable to get local issuer certificate
error ./bar.pem: verification failed

Any advice?

2

To make my question clear.

How do a add a root certificate to bluefin?
How do I validate certificates signed by that root certificate?

3

I found a way to do it but it seems odd.

sudo cp my-root-ca.crt /etc/pki/ca-trust/source/anchors/
sudo update-ca-trust

This results in a file in /etc/pki/ca-trust/extracted/pem/directory-hash/.
As it turns out this is not where openssl looks by default which is governed by
/etc/pki/tls/openssl.cnf.

Verification can be done with:

openssl verify -CApath /etc/pki/ca-trust/extracted/pem/directory-hash/ ./bar.pem

What I would like to know is how do the various browsers (chrome, firefox) and programs (curl) make use of these root certificates?
Do they use openssl or some std library?

4

Here are some of my guesses as to where these root certificates are obtained.
This seems like a bit of a mess.

Possible root cert source

System-Wide Trust Store Updates (update-ca-trust tool)

The update-ca-trust utility managed the system-wide CA certificates.
When a root certificate is added to /etc/pki/ca-trust/source/anchors/ and the update-ca-trust command is executed,
it updates the consolidated bundle of CA certificates that is used by the system components relying on the system trust store.

/etc/pki/ca-trust/extracted/pem/directory-hash

Network Security Services (NSS)

https://www.freedesktop.org/software/systemd/man/latest/nss-systemd.html

openssl defaults

/etc/pki/tls/certs or /etc/ssl/certs.

OpenSSL or GnuTLS libraries

Which are configured to refer to this central store for trusted root certificates.

Tool Use What?

curl and wget (using OpenSSL or GnuTLS)

  • openssl defaults

Chrome/Chromium

  • Network Security Services
  • The system’s trust store

Firefox

  • Own trust store managed through the application’s settings under Certificate Manager.
  • Does NOT use the system’s trust store

OpenSSL

  • openssl defaults
5

I personally use

sudo trust anchor --store /path/to/crt

I also run the user p11-kit service/socket as well. Then, I make sure the flatpak browsers have access to the p11-kit socket.

With these, I seemingly am able to have the credentials added to browsers and work with commandline tools like git/curl.

6

Could you provide a bit more information on the p11-kit service / socket?
Meaning, how is it used in bluefin?

I was not aware of it. Here are some links I found.

Is this what you were talking about regarding service / socket?

systemctl --user enable p11-kit-client.service
7

systemctl enable --now --user p11-kit-server.{service,socket}

You will now have a p11-kit server running for your user. The socket which can communicate with it can then be binded into flatpaks giving them access to pkcs11 tokens inside the flatpak.

8

I ran…

systemctl --user list-unit-files | grep p11

…and see the unit files you mentioned.
I also looked at…

systemctl --user list-unit-files

I did not realize there were user services that were disabled by default.
What are they all for?

Sorry, got distracted there.

9

This exposes a p11-kit-server that can be accessed remotely and enables you to load different modules for accessing pkcs11 tokens.