How to install / trust a root CA certificate?

spyesx · February 1, 2023, 7:35am

(I hope this is the right category to post in)

I have a certificate authority (CA) in a PKI. It issues all certificates in our infrastructure. ACME clients are also installed and configured to renew their certificates. Root CA certificates (as well as intermediates) are also installed in each system.

What are the steps to install and trust such a Root CA certificate in OpenWRT? With the shell, please.

To illustrate what I'm talking about, here is what's done on Debian to install a Root CA certificate:

# Place the cert at the right place
cp ./myRootCA.cert /usr/local/share/ca-certificates/

# Update the CA store
sudo update-ca-certificates

Well, I can't find a proper documentation for OpenWRT. I'd be happy to create it onces I can make it work though.

The final goal is to use acme.sh from OpenWRT.

I have successfully installed acme.sh as a client to issue/renew the needed certificate from our CA. Problem, this CA (ACME) requires HTTPS so...

/usr/lib/acme/acme.sh --issue --standalone --server https://ca.private-domain.tld/acme/acme/directory -d record.private-domain.tld
[Wed Feb  1 07:06:20 UTC 2023] Please refer to https://www.gnu.org/software/wget/manual/html_node/Exit-Status.html for error code: 5

SSL verification failure

Yeah, I need to install the root CA certificate of my CA.

WildCarrot · February 1, 2023, 8:02am

Not enough skilled, but... does it apply to your needs?

d687r02j8g · February 1, 2023, 8:07am

You can copy the ca cert file to /etc/ssl/certs

This is where the other trusted ca certs are as far as I can see.

spyesx · February 1, 2023, 8:23am

I installed ca-certificates:

opkg install ca-certificates
Package ca-certificates (20211016-1) installed in root is up to date.

I still don't find the binary for update-ca-certificates.

Then I installed each Root CA:

ls -al /etc/ssl/certs | grep private-domain
-rw-r--r--    1 root     root           688 Jan 31 19:03 ca.private-domain.tld-intermediate_ca.crt
-rw-r--r--    1 root     root           745 Jan 31 19:04 ca.private-domain.tld-root_ca.crt

How do add them to the trust store?

d687r02j8g · February 1, 2023, 8:25am

Don't think you need the update-ca-certificates binary.

Have you tried wget or curl to a HTTPS server which uses a certificate issued by your CA to see if the openwrt device trusts it?

spyesx · February 1, 2023, 8:27am

Yes I did.

wget https://ca.private-domain.tld/acme/acme/directory
--2023-02-01 08:25:10--  https://ca.private-domain.tld/acme/acme/directory
Resolving ca.private-domain.tld... 192.168.xx.xx
Connecting to ca.private-domain.tld|192.168.xx.xx|:443... connected.
ERROR: cannot verify ca.private-domain.tld's certificate, issued by 'CN=ca.private-domain.tld Intermediate CA,O=ca.private-domain.tld':
  Self-signed certificate encountered.
To connect to ca.private-domain.tld insecurely, use `--no-check-certificate'.

spyesx · February 1, 2023, 8:34am

Not enough skilled, but... does it apply to your needs?

This is valid for a "registered" CA like Let's Encrypt, yes. In that case, Root CA certificates are bundled and installed in your system by default.

In my case, the Certificate Authority is not public, it's private. Which means, I have to install it's root certificate in the system, manually.

I'll be happy to add details to this page when my problem is solved

d687r02j8g · February 1, 2023, 8:39am

Could you try appending your certs to the bottom of ca-certificates.crt

The source for the ca-certificates install is below. Might provide some clues.

github.com

openwrt/openwrt/blob/openwrt-22.03/package/system/ca-certificates/Makefile

#
# Copyright (C) 2006-2017 OpenWrt.org
#
# This is free software, licensed under the GNU General Public License v2.
# See /LICENSE for more information.
#
include $(TOPDIR)/rules.mk

PKG_NAME:=ca-certificates
PKG_VERSION:=20211016
PKG_RELEASE:=1
PKG_MAINTAINER:=

PKG_SOURCE:=$(PKG_NAME)_$(PKG_VERSION).tar.xz
PKG_SOURCE_URL:=@DEBIAN/pool/main/c/ca-certificates
PKG_HASH:=2ae9b6dc5f40c25d6d7fe55e07b54f12a8967d1955d3b7b2f42ee46266eeef88
PKG_INSTALL:=1

include $(INCLUDE_DIR)/package.mk

This file has been truncated. show original

spyesx · February 1, 2023, 9:45am

That an idea, yep. I have another problem them

define Package/ca-bundle/install
	$(INSTALL_DIR) $(1)/etc/ssl/certs
	cat $(PKG_INSTALL_DIR)/usr/share/ca-certificates/*/*.crt >$(1)/etc/ssl/certs/ca-certificates.crt
	$(LN) /etc/ssl/certs/ca-certificates.crt $(1)/etc/ssl/cert.pem

Do you know where I can find the value of $(PKG_INSTALL_DIR) ?

Because /usr/share/ca-certificates doesn't exist. I don't find where ca-certificates is installed. That's why I couldn't find update-ca-certificates.

ls /usr/share/ca-certificates
ls: /usr/share/ca-certificates: No such file or directory

In other words, I find nothing to cat.

However, I find many certs in /etc/ssl/certs, along with mines:

ls -1 /etc/ssl/certs | wc -l
257

ls -1 /etc/ssl/certs
ACCVRAIZ1.crt
AC_RAIZ_FNMT-RCM.crt
AC_RAIZ_FNMT-RCM_SERVIDORES_SEGUROS.crt
ANF_Secure_Server_Root_CA.crt
Actalis_Authentication_Root_CA.crt
AffirmTrust_Commercial.crt
AffirmTrust_Networking.crt
AffirmTrust_Premium.crt
AffirmTrust_Premium_ECC.crt
Amazon_Root_CA_1.crt
Amazon_Root_CA_2.crt
Amazon_Root_CA_3.crt
Amazon_Root_CA_4.crt
Atos_TrustedRoot_2011.crt
[...]

Also, /etc/ssl/certs/ca-certificates.crt exists but it's not been modified for a while. I installed ca-certificates yesterday.

ls -al /etc/ssl/certs/ca-certificates.crt
-rw-r--r--    1 root     root        195453 Oct 14 22:44 /etc/ssl/certs/ca-certificates.crt

d687r02j8g · February 1, 2023, 10:04am

This article looks helpful

https://www.sangqiao.com/blog/archives/142

The section "Adding certificates manually". Looks like you need to put the file there then hash it.

Similar to line 55-62 in the makefile linked earlier.

spyesx · February 1, 2023, 11:04am

Oh!

Well, obviously a little bit modified :

cd /etc/ssl/certs
CANAME="ca.private-domain.tld"
CERTFILE="$CANAME.cert"
openssl s_client -connect "$CANAME:443" < /dev/null > /tmp/temporary.out
openssl x509 -outform PEM < /tmp/temporary.out > "$CERTFILE"
HASH="$(openssl x509 -hash -noout -in $CERTFILE).0"
echo "$HASH"
ln -s "$CERTFILE" "$HASH"
ls -al "$HASH"
rm /tmp/temporary.out

And the results:

cd /etc/ssl/certs

CANAME="ca.private-domain.tld"
CERTFILE="$CANAME.cert"

openssl s_client -connect ca.private-domain.tld:443 < /dev/null > /tmp/temporary.out
depth=1 O = ca.private-domain.tld, CN = ca.private-domain.tld Intermediate CA
verify error:num=19:self signed certificate in certificate chain
verify return:1
depth=1 O = ca.private-domain.tld, CN = ca.private-domain.tld Intermediate CA
verify return:1
depth=0 CN = Step Online CA
verify return:1
DONE

openssl x509 -outform PEM < /tmp/temporary.out > "$CERTFILE"

HASH="$(openssl x509 -hash -noout -in $CERTFILE).0"

echo "$HASH"
8c62d93b.0

ln -s "$CERTFILE" "$HASH"

ls -al "$HASH"
lrwxrwxrwx    1 root     root            25 Feb  1 10:42 8c62d93b.0 -> ca.private-domain.tld.cert

curl -I https://ca.private-domain.tld/acme/acme/directory
HTTP/2 200
content-type: application/json
content-length: 332
date: Wed, 01 Feb 2023 10:43:42 GMT

rm /tmp/temporary.out

Root CA certificate installed and trusted !

Gonna try acme.sh now.

Thank you @d687r02j8g

d687r02j8g · February 1, 2023, 11:06am

Thank you for posting the solution

spyesx · February 1, 2023, 11:42am

Out of topic but for those interested in acme.sh, it worked:

/usr/lib/acme/acme.sh \
  --issue \
  --server https://ca.private-domain.tld/acme/acme/directory \
  -d record.private-domain.tld \
  --webroot /www

[Wed Feb  1 11:29:47 UTC 2023] Using CA: https://ca.private-domain.tld/acme/acme/directory
[Wed Feb  1 11:29:47 UTC 2023] Single domain='record.private-domain.tld'
[Wed Feb  1 11:29:47 UTC 2023] Getting domain auth token for each domain
[Wed Feb  1 11:29:48 UTC 2023] Getting webroot for domain='record.private-domain.tld'
[Wed Feb  1 11:29:48 UTC 2023] Verifying: record.private-domain.tld
[Wed Feb  1 11:29:58 UTC 2023] Success
[Wed Feb  1 11:29:58 UTC 2023] Verify finished, start to sign.
[Wed Feb  1 11:29:58 UTC 2023] Lets finalize the order.
[Wed Feb  1 11:29:58 UTC 2023] Le_OrderFinalize='https://ca.private-domain.tld/acme/acme/order/xxxxxxxxxxxxxxxxxxx/finalize'
[Wed Feb  1 11:29:59 UTC 2023] Downloading cert.
[Wed Feb  1 11:29:59 UTC 2023] Le_LinkCert='https://ca.private-domain.tld/acme/acme/certificate/xxxxxxxxxxxxxxxxxxx'
[Wed Feb  1 11:29:59 UTC 2023] Cert success.
-----BEGIN CERTIFICATE-----
MIIC9zCCApygAwIBAgIRAMLtjjgvTX3mLm+S9bwT43AwCgYIKoZIzj0EAwIwTjEd
[...]
RX3+2Hpi77ACIQDDwnZsKBQqlXj12G8J4XDjS95hA+zVy3o+ZdIByLtcrA==
-----END CERTIFICATE-----
[Wed Feb  1 11:29:59 UTC 2023] Your cert is in: /root/.acme.sh/record.private-domain.tld/record.private-domain.tld.cer
[Wed Feb  1 11:29:59 UTC 2023] Your cert key is in: /root/.acme.sh/record.private-domain.tld/record.private-domain.tld.key
[Wed Feb  1 11:29:59 UTC 2023] The intermediate CA cert is in: /root/.acme.sh/record.private-domain.tld/ca.cer
[Wed Feb  1 11:29:59 UTC 2023] And the full chain certs is there: /root/.acme.sh/record.private-domain.tld/fullchain.cer

lleachii · February 1, 2023, 1:00pm

Yes, it should: Acme.sh setup for single domain certificate

spyesx · February 2, 2023, 10:01am

Documentation updated: https://openwrt.org/docs/guide-user/services/tls/certs#installing_and_trusting_a_root_ca_certificate_in_a_pki

system · February 12, 2023, 10:01am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.