I have created a custom root certificate authority for an internal network, example.com. Ideally, I would like to be able to deploy the CA certificate associated with this certificate authority to my Linux clients (running Ubuntu 9.04 and CentOS 5.3), such that all of the applications automatically recognize the certificate authority (i.e. I do not want to have to configure Firefox, Thunderbird, etc manually to trust this certificate authority).
I have attempted this on Ubuntu by copying the PEM-encoded CA certificate to /etc/ssl/certs/ and /usr/share/ca-certificates/, as well as by modifying /etc/ca-certificates.conf and rerunning update-ca-certificates, however applications do not seem to recognize that I have added another trusted CA to the system.
Therefore, is it possible to add a CA certificate once to a system, or is it necessary to manually add the CA to all of the possible applications that will attempt to make SSL connections to hosts signed by this CA in my network? If it is possible to add a CA certificate once to the system, where does it need to go?
Thanks.
In short: You need to update every application by itself
Not even Firefox and Thunderbird share certificates.
Unfortunately Linux has no central place to store/manage SSL-certificates. Windows does have such a place but in the end you end up with the same problem (Firefox/Thunderbird won't use the Windows provided API to determine validity of an SSL cert)
I'd go with something like puppet/cfengine on each of the hosts and place the needed root certificates on all the clients with the mechanisms those tools provide.
Sadly programs like firefox and thunderbird use their own database.
However you could write a script to find all the profiles, then add the cert. Here is the tool to add the cert: http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html
As well you can setup a default cert8.db file, so new profiles will get it too.
For other applications its a matter of if they support the central store or not.
The method you've specified will update the central /etc/ssl/certs/ca-certificates.crt. However, you'll find most applications aren't configured to use this file. Most applications can be configured to point at the central file. There's no automatic way of making everything use this file without reconfiguring them.
It may be worth filing bugs in Ubuntu/Debian to use this file by default.
You can add your custom PKI CAs in ubuntu and other distros: Here you have the link, you may find valuable: Linux Cert Management