Différences

Ci-dessous, les différences entre deux révisions de la page.

--- tech:notes_certs_root_ca [2025/03/24 15:06] – créée - modification externe 127.0.0.1
+++ tech:notes_certs_root_ca [2025/11/09 19:45] (Version actuelle) – Jean-Baptiste
@@ Ligne 1: / Ligne 1: @@
+<!DOCTYPE markdown>
 {{tag>Brouillon HTTPS TLS PKI CA}}
-= Notes certs root CA
+# Notes certs root CA
 Voir :
 curl
-<code ->
+~~~
 $ strace -f --trace=%file curl https://www.acme.fr 2>&1 |egrep -v 'ENOENT|/lib/' |grep ^open
 openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
@@ Ligne 13: / Ligne 14: @@
 openat(AT_FDCWD, "/etc/ssl/certs/ca-certificates.crt", O_RDONLY) = 6
 openat(AT_FDCWD, "/etc/localtime", O_RDONLY|O_CLOEXEC) = 6
-</code>
+~~~
 A voir si curl utilise la LIBNSS
 Test
-<code bash>
+~~~bash
 curl -v -s --noproxy '*' -D - https://127.0.0.1:443/some-secure-endpoint
-</code>
+~~~
 Afficher les CA sous Debian
-<code bash>
+~~~bash
 awk -v cmd='openssl x509 -noout -subject' ' /BEGIN/{close(cmd)};{print | cmd}' < /etc/ssl/certs/ca-certificates.crt
-</code>
+~~~
 Afficher les CA sous RedHat
-<code bash>
+~~~bash
 awk -v cmd='openssl x509 -noout -subject' ' /BEGIN/{close(cmd)};{print | cmd}' < /etc/pki/tls/certs/ca-bundle.crt
-</code>
+~~~
 Vérifier les CA
-<code bash>
+~~~bash
-echo | openssl s_client -connect localhost:7000 -servername www.acme.fr -CAfile /tmp/cert.pem
+openssl s_client -connect localhost:7000 -servername www.acme.fr -CAfile /tmp/cert.pem </dev/null
-</code>
+~~~
-<code bash>
+~~~bash
 trust list --filter=ca-anchors --purpose=server-auth |grep ACME -i -A2 -B3
-</code>
+~~~
-<code bash>
+~~~bash
 find /etc/ssl/certs -type l -iname "*.0" -exec cat "{}" \; | awk -v cmd='openssl x509 -noout -subject -enddate 2>/dev/null | tr "\n" " " ; echo' '/BEGIN/{cert=""};{cert=sprintf("%s\n%s",cert,$0)};/END/{print cert | cmd ;close(cmd)}' | sed -r 's:^subject=::' | sort -u
@@ Ligne 47: / Ligne 48: @@
 cat /etc/ssl/certs/ca-certificates.crt | keytool -printcert 2>/dev/null | grep "^Certificate\[" -A11 | less
 csplit -z ca-bundle.crt /#/ '{*}'
-</code>
+~~~
 Liste blanche / noire
-<code ->
+~~~
 # /etc/pki/ca-trust/source/whitelist/
 # update-ca-trust
-</code>
+~~~
-<code>
+~~~
 # trust dump --filter "pkcs11:id=%BD%BD%98%7A%34%B4%26%F7%FA%C4%26%54%EF%03%BD%E0%24%CB%54%1B;type=cert" > /etc/pki/ca-trust/source/blacklist/addtrust-external-root.p11-kit
 # update-ca-trust extract
@@ Ligne 68: / Ligne 69: @@
     trust: blacklisted
     category: authority
-</code>
+~~~
 Sauvegarde PKI RedHat
-<code bash>
+~~~bash
 # Sauvegarde
 cp -a /etc/pki /etc/pki.bak
@@ Ligne 77: / Ligne 78: @@
 # Restore
 rsync -ax --delete /etc/pki.bak/ /etc/pki/
-</code>
+~~~
 Remove a CA certificate
-<code bash>
+~~~bash
 trust anchor --remove pkcs11:id=%15%FF%08%56%E0%6C%64%24%D0%56%70%91%87%8A%2B%2C%C6%5C%DD%34;type=cert
 # ou
 trust anchor --remove path.to/certificate.crt
-</code>
+~~~
 or
-<code bash>
+~~~bash
 rm /etc/pki/ca-trust/source/anchors/<CA Certificate Filename>
 update-ca-trust
-</code>
+~~~
-=== split the bundle into individual certificates
+### split the bundle into individual certificates
 Source : https://www.redhat.com/sysadmin/configure-ca-trust-list
 Cut bundle into individual files:
-<code bash>
+~~~bash
 csplit -z ca-bundle.crt /#/ '{*}'
-</code>
+~~~
 Remove blank lines:
-<code bash>
+~~~bash
 sed -i '/^$/d' xx*
-</code>
+~~~
 Rename files:
-<code bash>
+~~~bash
 for file in xx*; do mv $file $(head -n 1 $file | tr -d \#"                         "); done
-</code>
+~~~
-== Autres
-<code ->
+## Ajouter une CA
+Voir :
+  * https://www.redhat.com/en/blog/ca-certificates-cli
+~~~bash
+curl http://satellite.example.com/pub/katello-server-ca.crt -o /etc/pki/ca-trust/source/anchors/satellite-ca.crt
+update-ca-trust
+~~~
+## Autres
+~~~
 # # rpm -ql ca-certificates
 # rpm -q --filesbypkg ca-certificates |awk '/bin\// { print $2}'
 /usr/bin/ca-legacy
 /usr/bin/update-ca-trust
-</code>
+~~~