Adding your own, trusted CA certificates in RedHat and Debian derivatives

2019-03-12 20:02:00

The past week I've gotten my start in an Ansible course and a book, starting my work towards RedHat's EX407 Ansible exam. I've been wanting to get a start in Ansible, after learning a lot about Puppet a few years back. And if I manage to pass EX407 it'll renew my previous RedHat certs, which is great. 

Anywho! The online course has its own lab environment, but I'm also applying all that I learn to my homelab. So far Ansible managed the NTP settings, local breakglass accounts and some systems hardening. Next stop was to ensure that my internal PKI's certificates get added to the trust stores of my Linux hosts. I've done this before on RedHat derivatives (CentOS, Fedora, etc), but hadn't done the trick on Debian-alikes (Ubuntu, Kali, etc) yet. 

First stop, this great blog post by Confirm IT Solutions. They've provided an example Ansible playbook for doing exactly what I want to do. :) I've taken their example and I'm now refactoring it into an Ansible role, which will also work for Kali (which unfortunately has unwieldy ansible_os_family and ansible_distribution values).

To summarize the differences between the two distributions:

RedHat expects:

• PEM or DER encoded,
• Separate or chained CA certificates, 
• Regardless of extension,
• Added into /etc/pki/ca-trust/source/anchors,
• After which you run: update-ca-trust

Debian expects:

• PEM encoded,
• Chain of CA certificates,
• With .crt extension,
• Added into /usr/local/share/ca-certificates,
• After which you run: update-ca-certificates

kilala.nl tags: work, sysadmin,

View or add comments (curr. 2)