Is it possible to become a trusted Certificate Authority in Ubuntu? And if yes, how? This would be really nice.
Asked
Active
Viewed 953 times
0
-
Do you mean trusted CA? – Tung Tran Dec 24 '15 at 10:37
-
Yes. Sorry. I'm not English... – Moritz30 Dec 24 '15 at 10:40
-
What does CA stand for? What is a CA? – Tshilidzi Mudau Dec 24 '15 at 10:42
-
Ca means Certificate Authority. – Moritz30 Dec 24 '15 at 10:43
-
@TshilidziMudau: CA is widely known to stand for Certification Authority. Anyway, do you want to become trusted on all Ubuntu systems (that'll involve lots of work and money) or just on a system under your control? – ThiefMaster Dec 24 '15 at 20:48
-
The following appears to be almost the same question: http://askubuntu.com/q/550326/40581 – LiveWireBT Dec 24 '15 at 21:01
1 Answers
1
The package in Ubuntu is called ca-certificates, however I couldn't find any hint on the corresponding page of package, a manpage or the launchpad site and I didn't expect to make much sense out of the changelog. Since the package must come from Debian I looked on the corresponding page in Debian too. Then I looked into the file listing of the package and there it was: /usr/share/doc/ca-certificates/README.Debian
How certificates will be accepted into the ca-certificates package
- Get it included into Mozilla's trust store.
- File a bug against ca-certificates stating this fact.
With the exception of SPI (http://www.spi-inc.org/), only those CAs included in the Mozilla trust store will be included in the ca-certificates package in Debian.
That is the way to get you certificate accepeted into ca-certificates.
Note from the Debian page:
Please note that Debian can neither confirm nor deny whether the certificate authorities whose certificates are included in this package have in any way been audited for trustworthiness or RFC 3647 compliance. Full responsibility to assess them belongs to the local system administrator.
However there are also other packages like ca-cert that ship certificates and if you wanted to let's say provide an internal certificate for your organization through a package repository, then you could do that too if that was your question. Though recent events have shown that providing certificates this way without proper understanding of IT security concepts can be a security risk for the users and my damage you organization's reputation if these certificates are found outside of your organization and abused to sign content you didn't intend to sign. Rolling your own is a bad idea.
LiveWireBT
- 28,763