Import a certificate into Linux

Import a CA certificate into the certificate keystore of a Linux machine

The importcert.py script can be used to import a certificate into the keystore of a Linux machine in order to authenticate TLS communications.

Optional preparation

These optional steps need not be completed before importing the certificate, but they must be completed before testing the certificate.

 

Import the certificate

Use one of the following methods to import a certificate:

Use the importcert.py script

  1. Open a terminal window.
  2. In the terminal window, navigate to the FairCom Certificate Management program at <faircom>/tools/certman/
  3. Execute sudo python importcert.py
  4. The script will detect the key-pair you previously created and ask:
    Would you like to import the certificate at Certs\Expires_On_2034-08-12\ca.crt?
  5. If you respond "yes", you will be prompted to "Press ENTER to proceed".
user@linuxvm:~$ sudo python importcert.py

Welcome to FairCom's Certificate Import Utility
For help, run this program with the '-h' option.
Would you like to import the certificate at Certs/Expires_On_2034-08-12/ca.crt? yes

Press ENTER to proceed.
Press x, to exit without any changes.
  
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
Processing triggers for ca-certificates-java (20240118) ...
done.
done.

Press ENTER to exit

If you respond "no", you will be prompted for the filename to import.

user@linuxvm:~$ sudo python importcert.py 

Welcome to FairCom's Certificate Import Utility
For help, run this program with the '-h' option.
Would you like to import the certificate at Certs/Expires_On_2034-08-12/ca.crt? no
Enter the location of an x509 CA certificate (or 'x' to exit): ./Certs/Expires_On_2034-08-12/ca.crt      

Press ENTER to proceed.
Press x, to exit without any changes.
  
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
Processing triggers for ca-certificates-java (20240118) ...
done.
done.

Press ENTER to exit

The import was successful and the certificate was added to the keystore.

 
 

Manually import the certificate:

Manually importing the certificate is only needed if the FairCom importcert.py script is not used.

 
  1. Install the CA Certificates package if needed:
    sudo apt-get install -y ca-certificates
  2. Create a new directory named user-certificates under /usr/local/share/ca-certificates/
  3. Perform chmod 755 on the target directory.
  4. Copy the certificate file into the target directory.
  5. Perform chmod 644 on the target file.
  6. Perform update-ca-certificates

The import was successful and the certificate was placed in the certificate keystore.

 
 
 
 

Validate that the import was successful

After the file has been imported, it can be verified using

ls -l /etc/ssl/certs | grep ca.crt

user@linuxvm:~$ ls -l /etc/ssl/certs | grep ca.crt
lrwxrwxrwx 1 root root     57 Aug 13 11:42 ca.pem -> /usr/local/share/ca-certificates/user-certificates/ca.crt

If you have openSSL installed you can validate using

openssl verify -CAfile /etc/ssl/certs/ca-certificates.crt ca.crt

user@linuxvm:~$ openssl verify -CAfile /etc/ssl/certs/ca-certificates.crt ca.crt
ca.crt: OK

Test the connection using Python

Python version 3.7 and later can access the OS certificate keystore. This support may be library-dependent. Follow these steps to test with the "requests" library

  1. Install the pip-system-certs package:
pip install pip-system-certs
  1. Run these two lines of code (change 127.0.0.1 to the address of your server):
import requests
print( requests.Session().post( "https://127.0.0.1:8443/api", data = '{"api": "admin","action": "pingSession"}' ).json() )
  1. A successful run shows the following:
{'errorCode': 0, 'errorMessage': ''}
 
 
 
 
linux import certificate

Was this article helpful?

Give feedback about this article

Related Articles