centos7安装根证书 (root certificates)

1.将证书复制到 /etc/pki/ca-trust/source/anchors/ 文件夹，本文以mitmproxy的https证书为例

2.移动到将此证书软连接至 /etc/ssl/certs/文件夹中

效果如下

3.运行 update-ca-trust，更新系统的证书

此命令一般centos7自带，如果没有则需要安装

yum install ca-certificates

update-ca-trust force-enable

参考链接：

MacOS/Ubuntu/Debian/Centos系统下如何安装根证书

# yum -y install ca-certificates

# yum info ca-certificates

# rpm -ql ca-certificates

# rpm -ql ca-certificates | grep "crt"

tls-ca-bundle.pem 内各个证书的头尾格式：

BEGIN CERTIFICATE &END CERTIFICATE

ca-bundle.trust.crt 内各个证书的头尾格式：

BEGIN TRUSTED CERTIFICATE &END TRUSTED CERTIFICATE

/etc/pki/tls/certs/ca-bundle.crt 文件存储了各大证书颁发证的根证书交叉文件。

curl 访问https网站时，会比对这个文件里的根证书。如果这个文件过老，那就是有新的根证书未加入到这个文件里，导致curl无法正常访问https网站。

所以，你要么更新这个包（文件），要么可以选择手动添加证书进去，当然，你可以使用 curl  -k  跳过证书验证。

更新最新证书：

https://curl.se/ca/cacert.pem

对CentOS7.x而言，手动添加证书信任：

获取服务端证书 X.crt

# cp  X.crt  /etc/pki/ca-trust/source/anchors/

# update-ca-trust

# cat /etc/pki/ca-trust/README

# man update-ca-trust >update-ca-trust.txt

SSL Certificate Verification

https://curl.se/docs/sslcerts.html

Managing TLS and trusted CA certificates

https://docs.pexip.com/admin/certificate_management.htm

SSL and SSL Certificates Explained For Beginners

http://www.steves-internet-guide.com/ssl-certificates-explained/

Adding trusted root certificates to the server

https://manuals.gfi.com/en/kerio/connect/content/server-configuration/ssl-certificates/adding-trusted-root-certificates-to-the-server-1605.html

How to add Certificate Authority file in CentOS 7

https://stackoverflow.com/questions/37043442/how-to-add-certificate-authority-file-in-centos-7

---