How to install company proxy certificate

These are both internal sites trusted by same public CA.

How can debug this further? I ran into some solutions where they ask to install company's into the server(though i'm wondering why one site works but other one doesnt), but not sure how to install this certificate correctly.

Can someone help please?

Thanks for the help.

2 Answers 2

You can use curl -k . to make it ignore certificate irregularities.

Or you can use curl --cacert to supply your company CA cert.

Or you can add your company CA cert to /etc/pki/tls/certs/ and run make there to make it available system-wide.

Ah, and to retrieve the company root CA use this: openssl s_client -connect git.company.com:443 -showcerts - that will dump all the certificates in the chain.

For me downloading the relevant certificates worked nicely with

host=www.apache.org; \ echo "" | openssl s_client -showcerts -connect $:443 | \ awk '/-----BEGIN CERTIFICATE-----/ < i++; >/-----BEGIN CERTIFICATE-----/, /-----END CERTIFICATE-----/ < print >"cert-" i ".crt" >'; \ for cert in *.crt; do \ newname=$( \ openssl x509 -noout -subject -in $cert | \ sed -nE 's/.*CN ?= ?(.*)/\1/; s/\s/_/g; s/[^[:alnum:]]/_/g; s/__+/_/g; s/^_//g; s/_$//g; p' | \ tr -s '[:upper:]' '[:lower:]'\ ).crt; \ echo "$"; \ mv "$" "$"; \ done 

The variable host is of course just "nice-to-have", you can directly edit the host in the first openssl command.

The echo "" reduces waiting time for openssl .

The openssl fetches all certificates.

The awk extracts the certificates and puts each by incremented index in a separate file with file name suffix .crt .

The for iterates over all downloaded/found certificate ( .crt ) files.

The sed and tr removes all clutter from the name iterates over all downloaded/found certificates.

BTW: For Ubuntu I head to put the CRT files into /etc/ssl/certs/ not /etc/pki/tls/certs/ and it is needed to run sudo update-ca-certificates afterwards.