2

I use openssl to create a self signed CA cert on ubuntu gnome 16.04, and use this CA cert to sign a cert for postfix and httpd, but when using tls to connect postfix, the command was:

openssl s_client -connect xiedeacc.com:587 -starttls smtp

it will complaint

and it returns:

verify error:num=21:unable to verify the first certificate
Verify return code: 21 (unable to verify the first certificate)

but when changing the command to 

openssl s_client -connect xiedeacc.com:587 -starttls smtp -CAfile /etc/ssl/certs/xiedeaccca.crt

the output was all right, no problem, so I guess it's openssl s_client cannot find this self signed CA, but chrome can visit this CA signed website after I manually import it into chrome cert root list. So, how to import it to Ubuntu's certificate root list but not just Chrome's root cert list ? Does Ubuntu store CA certs like windows? enter image description here

xiedeacc
  • 757
  • 1
  • 7
  • 11

1 Answers1

2

To import your self-signed CA to Ubuntu's certificate root list, you have to configure ca-certificates:

First, make a directory called /usr/share/ca-certificates/extra:

sudo mkdir /usr/share/ca-certificates/extra`

Then, copy your CA certificate to the directory:

sudo cp /etc/ssl/certs/xiedeaccca.crt /usr/share/ca-certificates/extra/xiedeaccca.crt

Finally, reconfigure ca-certificates:

sudo dpkg-reconfigure ca-certificates

Press Space to select your self signed CA certs, and you should be done.

Cynplytholowazy
  • 1,289
  • 8
  • 25