1. Introduction
While Linux distributions like Ubuntu and Debian have their SSL certificates stored in /etc/ssl/certs, things are a bit different with openSUSE. As such, placing an SSL certificate for an openSUSE server in /etc/ssl/certs may not produce the expected results.
In this tutorial, we’ll discuss how to install a system-wide SSL certificate on openSUSE.
2. Using trust
The trust command is a straightforward option for installing system-wide SSL certificates on openSUSE. To pull off such an installation, all we need to do is use the anchor subcommand of the trust command:
$ trust anchor --store ~/baeldung.pem
We don’t need to use the –store flag when adding a certificate to the trust store. So, we can make the previous command shorter:
$ trust anchor ~/baeldung.pem
The anchor subcommand can add and remove trust anchors, depending on the flag passed to it. While adding a certificate, we may omit the –store flag. But when removing one, we must use the –remove flag:
$ trust anchor --remove ~/baeldung.pem
After installing the certificate to the trust anchor store, we can verify the installation using another trust subcommand:
$ trust list
...truncated...
pkcs11:id=%C6%4F%A2%3D%06%63%84%09%9C%CE%62%E4%04%AC%8D%5C%B5%E9%B6%1B;type=cert
type: certificate
label: Baeldung
trust: anchor
category: authority
...truncated...
trust list will show us a list of all trust anchors on our system, including their PKCS#11 URI, label, and category.
3. Copying the SSL Certificate to /etc/pki/trust/anchors
Another way to install system-wide SSL certificates on an openSUSE server is to copy them to one of two directories: /etc/pki/trust/anchors or /usr/share/pki/trust/anchors.
Of course, /etc/pki/trust/anchors is for the administrator and /usr/share/pki/trust/anchors is for the user. Accordingly, the trusts in /usr/share/pki/trust/anchors have a lower priority than those in /etc/pki/trust/anchors.
Naturally, to install an SSL certificate on our server, we must get an SSL certificate first. Once we have the certificate, we may then copy or move it to any of the SSL directories mentioned previously:
$ sudo cp baeldung.pem /etc/pki/trust/anchors
3.1. Update the System-Wide SSL Certificate Store
After moving the certificate to /etc/pki/trust/anchors, we’ll update the system-wide SSL certificate store (the trust policy store). If we don’t, our new certificate may not be added to the system-wide trust policy store. This could be an issue on some web browsers.
To update the trust policy store, we’ll run the update-ca-certificates command:
$ sudo update-ca-certificates
As with the first method, we can verify the certificates installed using this method by running trust list. The output from trust list is typically long. But, if we know the certificate’s label, we can grep to filter the output:
$ trust list | grep Baeldung
...truncated...
label: Baeldung
3.2. Removing the Certificate
To remove SSL certificates installed with this method, we’ll delete the file we copied to /etc/pki/trust/anchors previously:
$ sudo rm /etc/pki/trust/anchors/baeldung.pem
After that, we’ll update the trust store:
$ sudo update-ca-certificates
4. Conclusion
In this article, we discussed two ways of installing a system-wide SSL certificate on openSUSE Linux. We also mentioned how to remove the SSL certificates installed using each method.