1. Introduction

While Linux distributions like Ubuntu and Debian have their SSL certificates stored in /etc/ssl/certs, things are a bit different with openSUSE. As such, placing an SSL certificate for an openSUSE server in /etc/ssl/certs may not produce the expected results.

In this tutorial, we’ll discuss how to install a system-wide SSL certificate on openSUSE.

2. Using trust

The trust command is a straightforward option for installing system-wide SSL certificates on openSUSE. To pull off such an installation, all we need to do is use the anchor subcommand of the trust command:

$ trust anchor --store ~/baeldung.pem

We don’t need to use the –store flag when adding a certificate to the trust store. So, we can make the previous command shorter:

$ trust anchor ~/baeldung.pem

The anchor subcommand can add and remove trust anchors, depending on the flag passed to it. While adding a certificate, we may omit the –store flag. But when removing one, we must use the –remove flag:

$ trust anchor --remove ~/baeldung.pem

After installing the certificate to the trust anchor store, we can verify the installation using another trust subcommand:

$ trust list
...truncated...
pkcs11:id=%C6%4F%A2%3D%06%63%84%09%9C%CE%62%E4%04%AC%8D%5C%B5%E9%B6%1B;type=cert
    type: certificate
    label: Baeldung
    trust: anchor
    category: authority
...truncated...

trust list will show us a list of all trust anchors on our system, including their PKCS#11 URI, label, and category.

3. Copying the SSL Certificate to /etc/pki/trust/anchors

Another way to install system-wide SSL certificates on an openSUSE server is to copy them to one of two directories: /etc/pki/trust/anchors or /usr/share/pki/trust/anchors.

Of course, /etc/pki/trust/anchors is for the administrator and /usr/share/pki/trust/anchors is for the user. Accordingly, the trusts in /usr/share/pki/trust/anchors have a lower priority than those in /etc/pki/trust/anchors.

Naturally, to install an SSL certificate on our server, we must get an SSL certificate first. Once we have the certificate, we may then copy or move it to any of the SSL directories mentioned previously:

$ sudo cp baeldung.pem /etc/pki/trust/anchors

3.1. Update the System-Wide SSL Certificate Store

After moving the certificate to /etc/pki/trust/anchors, we’ll update the system-wide SSL certificate store (the trust policy store). If we don’t, our new certificate may not be added to the system-wide trust policy store. This could be an issue on some web browsers.

To update the trust policy store, we’ll run the update-ca-certificates command:

$ sudo update-ca-certificates

As with the first method, we can verify the certificates installed using this method by running trust list. The output from trust list is typically long. But, if we know the certificate’s label, we can grep to filter the output:

$ trust list | grep Baeldung
...truncated...
    label: Baeldung

3.2. Removing the Certificate

To remove SSL certificates installed with this method, we’ll delete the file we copied to /etc/pki/trust/anchors previously:

$ sudo rm /etc/pki/trust/anchors/baeldung.pem

After that, we’ll update the trust store:

$ sudo update-ca-certificates

4. Conclusion

In this article, we discussed two ways of installing a system-wide SSL certificate on openSUSE Linux. We also mentioned how to remove the SSL certificates installed using each method.