Adding Root Certificate

phreed · November 19, 2024, 6:20pm

I need to add a root certificate foo.crt (not its real name).
It works on my Ubuntu system and the following looks valid.

openssl x509 -in ./foo.crt -text -noout

I am trying to add it using:

> sudo trust anchor ./foo.crt
p11-kit: couldn't create object: The field is read-only
p11-kit: 1 error while processing

When I try:

sudo cp ./foo.crt /etc/pki/ca-trust/source/anchors
sudo update-ca-trust

I get no errors from that, but when I try to verify other certs created using that root cert.

openssl verify ./bar.pem
C=US, ST=Tennessee, L=Nashville, O=Vanderbilt University, OU=Institute for Software Integrated Systems, CN=bar, emailAddress=fred.eisele@vanderbilt.edu
error 20 at 0 depth lookup: unable to get local issuer certificate
error ./bar.pem: verification failed

Any advice?

phreed · November 19, 2024, 10:00pm

To make my question clear.

How do a add a root certificate to bluefin?
How do I validate certificates signed by that root certificate?

phreed · November 19, 2024, 11:13pm

I found a way to do it but it seems odd.

sudo cp my-root-ca.crt /etc/pki/ca-trust/source/anchors/
sudo update-ca-trust

This results in a file in /etc/pki/ca-trust/extracted/pem/directory-hash/.
As it turns out this is not where openssl looks by default which is governed by
/etc/pki/tls/openssl.cnf.

Verification can be done with:

openssl verify -CApath /etc/pki/ca-trust/extracted/pem/directory-hash/ ./bar.pem

What I would like to know is how do the various browsers (chrome, firefox) and programs (curl) make use of these root certificates?
Do they use openssl or some std library?

phreed · November 19, 2024, 11:37pm

Here are some of my guesses as to where these root certificates are obtained.
This seems like a bit of a mess.

Possible root cert source

System-Wide Trust Store Updates (`update-ca-trust` tool)

The update-ca-trust utility managed the system-wide CA certificates.
When a root certificate is added to /etc/pki/ca-trust/source/anchors/ and the update-ca-trust command is executed,
it updates the consolidated bundle of CA certificates that is used by the system components relying on the system trust store.

/etc/pki/ca-trust/extracted/pem/directory-hash

Network Security Services (NSS)

openssl defaults

/etc/pki/tls/certs or /etc/ssl/certs.

OpenSSL or GnuTLS libraries

Which are configured to refer to this central store for trusted root certificates.

Tool Use What?

curl and wget (using OpenSSL or GnuTLS)

openssl defaults

Chrome/Chromium

Network Security Services
The system’s trust store

Firefox

Own trust store managed through the application’s settings under Certificate Manager.
Does NOT use the system’s trust store

OpenSSL

openssl defaults

m2Giles · November 20, 2024, 4:51pm

I personally use

sudo trust anchor --store /path/to/crt

I also run the user p11-kit service/socket as well. Then, I make sure the flatpak browsers have access to the p11-kit socket.

With these, I seemingly am able to have the credentials added to browsers and work with commandline tools like git/curl.

phreed · November 20, 2024, 6:44pm

Could you provide a bit more information on the p11-kit service / socket?
Meaning, how is it used in bluefin?

I was not aware of it. Here are some links I found.

Is this what you were talking about regarding service / socket?

systemctl --user enable p11-kit-client.service

m2Giles · November 20, 2024, 7:08pm

systemctl enable --now --user p11-kit-server.{service,socket}

You will now have a p11-kit server running for your user. The socket which can communicate with it can then be binded into flatpaks giving them access to pkcs11 tokens inside the flatpak.

phreed · November 20, 2024, 7:40pm

I ran…

systemctl --user list-unit-files | grep p11

…and see the unit files you mentioned.
I also looked at…

systemctl --user list-unit-files

I did not realize there were user services that were disabled by default.
What are they all for?

Sorry, got distracted there.

m2Giles · November 20, 2024, 9:59pm

This exposes a p11-kit-server that can be accessed remotely and enables you to load different modules for accessing pkcs11 tokens.

mmartinortiz · September 4, 2025, 9:02am

After enabling the systemd unit, how do you allow FlatPak browsers to use them? I have used FlatSeal, but there is nothing related to p11 that I could find.

When I use curl , I still get a certificate error. The certificate seems to be installed correctly:

❯ sudo openssl verify -CAfile /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem /etc/pki/ca-trust/source/anchors/mycert.crt
/etc/pki/ca-trust/source/anchors/mycert.crt: OK

giacomo · September 18, 2025, 11:53am

I’m not sure how to add an additional socket via Flatseal, but you should be able to add it via the flatpak override command from the terminal.

Something like:
flatpak override –socket=p11-kit-server org.mozilla.firefox

Topic		Replies	Views
Flatpak firefox and system certificates Bazzite	0	262	July 13, 2024
Trusting Home Server CA in Bluefin Bluefin	4	131	January 14, 2025
Installing 1Password in Bluefin, a better way? Bluefin	39	3390	September 19, 2025
Smartcard access for native Firefox Bluefin	5	263	August 11, 2025
Building a flatpak that plays well with Bluefin and family Bluefin	6	250	May 27, 2025