How to install certificates for command line

Question

So in school we need to install a certificate to access https sites. In firefox, I can import the certificate. However, I can't do so with the command line. For example, running git push I get:

fatal: unable to access 'https://github.com/user/repo': server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none

How do I import a certificate to remove this? The import must be able to authenticate for me. Also, it is a .cer file, so the answer for .crt will not work. Also, I do not want steps on how to setup git, as I already have. I want to know if it is possible to do that. Or can I just disable authentication with the git command totally and make it ignore certificates like what the answer here says? Also, I do not want the webpage to load, I have set firefox to do that. I want the git push command to give the standard output like:

[master 630d087] message
 1 file changed, 93 insertions(+), 80 deletions(-)
 rewrite somefile (84%)
Counting objects: 9, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (4/4), done.
Writing objects: 100% (5/5), 978 bytes | 0 bytes/s, done.
Total 5 (delta 2), reused 0 (delta 0)
To https://github.com/User/Repo.git
   851ae39..630d087  master -> master

Note: I found out its git config --global http.sslverify false. But I would like to see an answer for everything, not just a git hack

Have you a problem with your git command or what you want to do? Give me a ping with @A.B. — A.B., Jul 15 '15 at 08:43
@A.B. I want to allow git to use the certificate the school gives us, instead of trying to use the github cert. Or if that doesn't work then allow the school's cert to authenticate for me — Universal Electricity, Jul 15 '15 at 08:47
Note that .crt and .cer extensions are interchangeable, just change the file name extension, they have the same form. — Mike, Jul 15 '15 at 09:14
So this question is indeed a duplicate since .crt and .cer means nothing. — Franklin Yu, Nov 02 '18 at 18:22
This should not be talking about (and marked with) "certificates", but about CA-certificates instead. Big difference. A normal certificate is good for one specific instance of something. If you install someone's CA certificate though, each and everything that CA will issue in the future will be accepted by your machine. (Also, different purpose - as the accepted answer explains, this is basically a MITM attack with your cooperation.) — foo, Sep 30 '21 at 13:56

Telegrapher · Accepted Answer · 2023-02-16T03:11:55.467

247

TL;DR

For everything to work and not only your browser, you need to add that CA certificate to the system's trusted CA repository.

In ubuntu:

Go to /usr/local/share/ca-certificates/
Create a new folder, i.e. "sudo mkdir school"
Copy the .crt file into the school folder
Make sure the permissions are OK (755 for the folder, 644 for the file)
Run "sudo update-ca-certificates"

Why

Let me explain what is going on also, so the other posters see why they don't need any certificate to use Github over HTTPS.

What is going on there is that your school is intercepting all the SSL communications, probably in order to monitor them.

To do that, what they do is in essence a "man in the middle" attack, and because of that, your browser complains rightfully that it is not being able to verify github's certificate. Your school proxy is taking out github's cert and instead providing its own cert.

When your browser tries to verify the school's provided cert against the CA that signed github's cert, it rightfully fails.

So, for the SSL connection to work in the school, you need to consciously accept that "MITM" attack. And you do that by adding the school's CA certificate as a trusted one.

When you trust that school CA, your verification of the fake github cert will work, since the fake github cert will be verified by the school CA.

Be aware that SSL connection is not safe anymore since your school administrator will be able to intercept all your encrypted connections.

edited Feb 16 '23 at 03:11

answered Jul 17 '15 at 10:00

Telegrapher

2,827

This is essentially the same answer as Mike's without the dpkg-reconfigure that shouldn't be needed. What may be going on is that git or another command line is not being 100% standard regarding their SSL verification. Using what you call "git hack" may be needed in order to workaround the "SSL hack" your school implemented first. – Telegrapher Jul 17 '15 at 10:05
1

And also, be aware that you need root permissions to run this commands, so the sudo command needs to be successful, or you will not be able to update the system's Certificate Authorities. – Telegrapher Jul 17 '15 at 10:09
4

Please [edit] your answer to provide the additional facts - don't leave the in a comment. – guntbert Jul 20 '15 at 20:56
1

I believe that should be /usr/local/share/ca-certificates/. See man update-ca-certificates, which talks about there being a whitelist for /usr/share/ca-certificates/ but about how it implicitly trusts everything in the /usr/local/share/ca-certificates/ directory. – Ian Hickson Oct 06 '17 at 07:46
9

on Ubuntu 16.04 after adding the CA to /usr/local/share/ca-certificates I had to use sudo dpkg-reconfigure ca-certificates for it to pickup the CA. – Matt L. Dec 06 '17 at 15:56
@Telegrapher Thanks for detail information, this is only applicable in Linux machine, can you also suggest me how to install .crt in macOS. – Gagan Sep 25 '19 at 20:40
For @Gagan and anyone else reading this thread, I searched for this while following this guide that explains how to install on MacOS: https://www.freecodecamp.org/news/how-to-get-https-working-on-your-local-development-environment-in-5-minutes-7af615770eec/ – JoshuaCWebDeveloper Aug 05 '21 at 17:58
I'm going to add that the cert file must be in the PEM format, otherwise you'll get a confusing error like skipping certificate.cer ,it does not contain exactly one certificate or CRL when doing sudo update-ca-certificates and it wouldn't work. You can convert a certificate in a DER (binary) format to PEM with openssl x509 -inform der -in CERTIFICATE.cer -out CERTIFICATE.crt (reference: https://www.ssl.com/guide/pem-der-crt-and-cer-x-509-encodings-and-conversions/) – Papooch Jan 26 '23 at 09:03

score 57 · Answer 2 · edited May 18 '17 at 15:31

57

The ca-certificates package has the instructions in its README.Debian:

If you want to install local certificate authorities to be implicitly trusted, please put the certificate files as single files ending with .crt into /usr/local/share/ca-certificates/ and re-run update-ca-certificates.

Note that it mentions a directory different from the other answers here:

/usr/local/share/ca-certificates/

After copying into /usr/local/share/ca-certificates/ you can then update the cert's permissions and run sudo update-ca-certificates as mentioned in Telegraphers answer. You will see in the output that the cert was added.

edited May 18 '17 at 15:31

David Foerster

36,264
56
94
147

answered Dec 12 '16 at 15:47

Robert Siemer

2,448

4

This worked for me as well on Ubuntu 16.04. The path in the accepted answer did not work for me. – Plazgoth Apr 15 '17 at 03:42
This has to be a accepted answer this is a working solution for ubuntu server 16.04 LTS. – Lasitha Benaragama Nov 27 '17 at 09:19

Mike · Answer 3 · 2015-07-15T14:35:56.853

34

Extensions .crt, .pem and .cer are interchangeable, just change the file name extension, they have the same form. Try this:

$ sudo cp mycert.cer /usr/share/ca-certificates/mycert.pem
$ sudo dpkg-reconfigure ca-certificates
$ sudo update-ca-certificates
$ git config --global http.sslCAInfo /usr/share/ca-certificates/mycert.pem

edited Jul 15 '15 at 14:35

answered Jul 15 '15 at 09:21

Mike

5,691

Well although this is true, it did not help. But in future it might help people – Universal Electricity Jul 15 '15 at 13:32
I added one more line, try that to make git trust your certificate, note that I changed cer. to .pem in two of the 4 steps instead .crt. @Unicorns Are Very Very Yummy – Mike Jul 15 '15 at 13:59
6

If your .CER file is binary (DER format) then you can't just change the extension. Use openssl(1) to convert the certificate to PEM format. Run: $ openssl -in mycert.cer -inform DER -out mycert.pem -outform PEM – leorize Jul 21 '15 at 01:36
3

@Archuser Maybe the right command is this : openssl x509 -inform DER -in certificate.cer -out certificate.pem – artificerpi Dec 30 '16 at 03:35
Changing the extension from .pem to .crt worked for me but I had to use the .crt extension, like explained in /etc/ca-certificates.conf: "files with extension '.crt' is recognized as available certs". – baptx Dec 07 '21 at 17:08

score 20 · Answer 4 · answered Jul 31 '18 at 10:15

20

I read all solutions and solved like this;

sudo openssl x509 -inform DER -in certificate.cer -out certificate.crt

sudo mv certificate.crt /usr/share/ca-certificate/

cd /usr/share/ca-certificate

sudo chmod 644 certificate.crt

sudo dpkg-reconfigure ca-certificates

sudo update-ca-certificates

answered Jul 31 '18 at 10:15

Kadir Y.

416

Just a note, I have /usr/share/ca-certificates on my system but not /usr/share/ca-certificate/ (note the missing s) – aggregate1166877 Nov 07 '22 at 01:56

Tomilov Anatoliy · Answer 5 · 2021-06-29T17:32:24.170

14

I use the following compilation of previous answers:

sudo -i
echo | openssl s_client -showcerts -servername site.example.com -connect example.com:443 2>/dev/null | awk '/-----BEGIN CERTIFICATE-----/, /-----END CERTIFICATE-----/' >> /usr/local/share/ca-certificates/ca-certificates.crt 
update-ca-certificates

Often both site.example.com and example.com are the same hostnames.

edited Jun 29 '21 at 17:32

answered Nov 24 '17 at 11:37

Tomilov Anatoliy

679

score 2 · Answer 6 · answered Jun 05 '18 at 13:11

I was having a similar problem where installing the certificate in firefox and google chrome worked but Updating in terminal sudo apt-get update was not working and giving 403 Forbidden IP errors. I was too having a sample.cer file. So basically I have to convert it to .crt first.

sudo openssl x509 -inform DER -in sample.cer -out sample.crt

Still while doing sudo dpkg-reconfigure ca-certificates I couldn't find the required certificate. The problem with me is that I was copying the certificate at the wrong place.

Instead of copying it at $/usr/share/ca-certificates I was copying it at $/usr/local/share/ca-certificates But by placing it in the right place solved my problem. But I'm still not able to update the packages or install new packages.

Quick fix (for me on):

Use of ftp instead of http

sudo sed -i s/http/ftp/ /etc/apt/sources.list && apt-get update

and above command worked. Please make a copy of sources.list file before making the changes.

If anything is not clear or not proper please do correct me.

A.B. · Answer 7 · 2015-07-15T16:25:01.243

0

To access a website with https, whether you are using a CLI or GUI browser, you don't need your shool certificate.

To use git via http(s) you need to register your public key in your profile settings on GitHub.

More infos here. Change your GitHub profile here.

Try this:

sudo apt-get install w3m
w3m https://github.com/

… works without an additionally certificate.

edited Jul 15 '15 at 16:25

answered Jul 15 '15 at 08:55

A.B.

90,397

This is not correct. He clearly stated his school is intercepting https traffic, and needs the certificate to validate SSL. – David Baucum Jan 23 '23 at 16:19

How to install certificates for command line

7 Answers7

Linked