Friday, 24 Jun, 2022  |    Leave a comment

After requesting for help on the Clear Linux forum (here: https://community.clearlinux.org/t/how-to-add-new-trusted-ca-certificate-to-clear-linux/3457), their first reply directed me to Cloud Linux github page (https://github.com/clearlinux/clrtrust#add-trust-a-root-ca).

From there, I obtained the information I needed to get my small Clear Linux vm to trust my Windows CA certificate.

Here's how to.

(On your Windows CA):

  • Export your Windows CA Certificate by proceeding as follows:
  1. Click Start -> Administrative Tools -> Certificate Authority to open the CA Microsoft Management Console (MMC) GUI.
  2. Select your CA computer object then Right click and select Properties.
  3. (On the new popup window) Click on the General menu then click View Certificate.
  4. Select Details and click on the "Copy to File…"-Button (on the lower right corner of the window).
  5. Use the Certificate Export Wizard to save the CA certificate on a file. Note: Save the CA certificate in Base 64 Encoded Binary X-509 format.
  6. (On Windows Explorer) Rename your Output .cer file to .pem

Once you have your Trusted CA file, you'll now wish to transfer it to your Cloud Linux.

  • You may wish to use SCP to do that so "WinSCP" (https://winscp.net/eng/download.php) may be your friend - just ensure you have one of the latest builds of WinSCP because Cloud Linux uses Elliptic Curve Certificates by default and WinSCP started supporting ECs only recently.
  • Another neat way to transfer your Trusted CA cert is to place it on a webserver (such as your CRL) and download it from there (for example by using curl or your Cloud Linux web browser).

Note: if you place your pem file on an IIS web Server, make sure you Add an additional MIME type to IIS for your pem file (otherwise your download won't even start and IIS will refuse to serve it).

To add an additional MIME type to your IIS web server:

  1. Open IIS Manager.
  2. Click on your IIS Server Name on the left.
  3. Locate and open the "MIME Types" IIS module.
  4. Click on Add (to the right).
  5. Specify your new pem MIME type as follows:

Machine generated alternative text: Edit MIME Type File name extension: .pem MIME type: licaticn/x- em-file Cancel pwrusr_ corn

File name extension: .pem

MIME type: application/x-pem-file

  • Test with your browser to ensure you're able to download it.

At this stage, I'll assume you were able to transfer your trusted CA certificate to your Cloud Linux host.

The next step involves adding your trusted CA certificate to your Cloud Linux trusted store.

Proceed as follows:

  1. Open a terminal to the dir on which you have transferred your pem file.
  2. Type:

clrtrust add TrustedCA-Base64-Encoded-Binary-X-509.pem

  • The above command places a copy of your trusted CA certificate to your Cloud Linux trusted CA certificate store.

For what is worth:

  • The physical location of your Cloud Linux trusted CA certificate store is /etc/ssl/certs (<- your trusted certs are all here!)
  • The location of your Cloud Linux trusted CA certificate store cache is /var/cache/ca-certs (<- here your trusted CA certs are cached)

Now that you know a bunch of new things, it's time to go back to your project(s) so a good question would be "why would you like to get your Cloud Linux host to trust your Windows CA?"

Rate this post

Ask me anything