Home / server / Questions / 1003517
In Process
Luke Puplett
Asked: 2020-02-19 04:31:16 +0800 CST

How do I install a PFX certificate file into Ubuntu so Curl trusts it?

  • 772

I'm running Ubuntu 18.04 on Windows Subsystem for Linux 2. I am making a curl request to a web service running on the Windows side using a self-signed certificate. I receive this error:

curl: (60) SSL certificate problem: unable to get local issuer certificate

I'd like to add the cert to the local store. I have a .pfx file available. I know I can use -k but I want to use other command line tools against this server.

How do I do this?

My own trials

openssl s_client -showcerts -servername server -connect server:443 > foo.pem
openssl x509 -in foo.pem -inform PEM -out foo.crt
sudo cp foo.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates

This looks plausible but didn't work, curl still has the same complaint.

I also tried to use a DER version.

sudo rm /usr/local/share/ca-certificates/windows_cert.crt
openssl x509 -in windows_cert.pem -inform PEM -out windows_cert_der.crt -outform DER
sudo cp windows_cert_der.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates

Give up

Don't worry, I started following some of the replies here.

https://askubuntu.com/questions/73287/how-do-i-install-a-root-certificate

But got nowhere, its obviously a very hard problem in the world of computing.

I've found that a few months back they added a switch to the command line tool I need to use that ignores certificate problems.

ubuntu ssl-certificate curl ubuntu-18.04

2 Answers

  1. You can use the openssl command to convert nearly any certificate format to another. PFX is another name for a pkcs12 container.

    If you can extract the cert in PEM format curl should be able to use it.

    openssl pkcs12 -in cert.pfx -clcerts -out cert.pem

    This may ask you for a password which will be the one used to secure the PKCS12 file

    You want to use the output cert.pem file with the --cacert curl command line option not -k

    • 2

  2. Under the Debian family the distribution way of handling a trust certificate is as follows (reverse engineered by looking at update-ca-certificates):

    I will use myca as a standin name for your ca (or self-signed) cert and myca.crt as the file with the certificate (DER or PEM). The .crt is mandatory.

    • Make directory under /usr/share/ca-certificates
      • mkdir /usr/share/ca-certificates/myca
    • Put the ca.crt in it
      • cp ./ca.crt /usr/share/ca-certificates/myca/
    • Run dpkg-reconfigure ca-certificates, choose ask to selectively add new trust anchors and select in the second screen your new myca/myca.crt and press OK
      • dpkg-reconfigure ca-certificates

    To do it more programmatically

    After you made the directory and put your cert in:

    echo myca/myca.crt >> /etc/ca-certificates.conf
/usr/sbin/update-ca-certificates

    This last method does not record the configure setting in /var/cache/debconf/config.dat so if you run dpkg-reconfigure ca-certificates or update the ca-certificates package, your new trust anchor may disappear again. Running update-ca-certificates is safe.

    To get only the certificate from a pfx with self-signed certificate:

    openssl pkcs12 -in my.pfx -nokeys -out myca.crt

    And enter the password to open the pfx.

    Adding a self-signed certificate to the root level central trust repository does mean that everyone who possesses its private key gets ways to do MITM attacks on your server.

    • 1