I have a certificate authority (CA) in a PKI. It issues all certificates in our infrastructure. ACME clients are also installed and configured to renew their certificates. Root CA certificates (as well as intermediates) are also installed in each system.
What are the steps to install and trust such a Root CA certificate in OpenWRT? With the shell, please.
To illustrate what I'm talking about, here is what's done on Debian to install a Root CA certificate:
# Place the cert at the right place
cp ./myRootCA.cert /usr/local/share/ca-certificates/
# Update the CA store
sudo update-ca-certificates
Well, I can't find a proper documentation for OpenWRT. I'd be happy to create it onces I can make it work though.
The final goal is to use acme.sh from OpenWRT.
I have successfully installed acme.sh as a client to issue/renew the needed certificate from our CA. Problem, this CA (ACME) requires HTTPS so...
/usr/lib/acme/acme.sh --issue --standalone --server https://ca.private-domain.tld/acme/acme/directory -d record.private-domain.tld
[Wed Feb 1 07:06:20 UTC 2023] Please refer to https://www.gnu.org/software/wget/manual/html_node/Exit-Status.html for error code: 5
SSL verification failure
Yeah, I need to install the root CA certificate of my CA.
Out of topic but for those interested in acme.sh, it worked:
/usr/lib/acme/acme.sh \
--issue \
--server https://ca.private-domain.tld/acme/acme/directory \
-d record.private-domain.tld \
--webroot /www
[Wed Feb 1 11:29:47 UTC 2023] Using CA: https://ca.private-domain.tld/acme/acme/directory
[Wed Feb 1 11:29:47 UTC 2023] Single domain='record.private-domain.tld'
[Wed Feb 1 11:29:47 UTC 2023] Getting domain auth token for each domain
[Wed Feb 1 11:29:48 UTC 2023] Getting webroot for domain='record.private-domain.tld'
[Wed Feb 1 11:29:48 UTC 2023] Verifying: record.private-domain.tld
[Wed Feb 1 11:29:58 UTC 2023] Success
[Wed Feb 1 11:29:58 UTC 2023] Verify finished, start to sign.
[Wed Feb 1 11:29:58 UTC 2023] Lets finalize the order.
[Wed Feb 1 11:29:58 UTC 2023] Le_OrderFinalize='https://ca.private-domain.tld/acme/acme/order/xxxxxxxxxxxxxxxxxxx/finalize'
[Wed Feb 1 11:29:59 UTC 2023] Downloading cert.
[Wed Feb 1 11:29:59 UTC 2023] Le_LinkCert='https://ca.private-domain.tld/acme/acme/certificate/xxxxxxxxxxxxxxxxxxx'
[Wed Feb 1 11:29:59 UTC 2023] Cert success.
-----BEGIN CERTIFICATE-----
MIIC9zCCApygAwIBAgIRAMLtjjgvTX3mLm+S9bwT43AwCgYIKoZIzj0EAwIwTjEd
[...]
RX3+2Hpi77ACIQDDwnZsKBQqlXj12G8J4XDjS95hA+zVy3o+ZdIByLtcrA==
-----END CERTIFICATE-----
[Wed Feb 1 11:29:59 UTC 2023] Your cert is in: /root/.acme.sh/record.private-domain.tld/record.private-domain.tld.cer
[Wed Feb 1 11:29:59 UTC 2023] Your cert key is in: /root/.acme.sh/record.private-domain.tld/record.private-domain.tld.key
[Wed Feb 1 11:29:59 UTC 2023] The intermediate CA cert is in: /root/.acme.sh/record.private-domain.tld/ca.cer
[Wed Feb 1 11:29:59 UTC 2023] And the full chain certs is there: /root/.acme.sh/record.private-domain.tld/fullchain.cer