[lug] self-signed ssl certs under CentOS

Michael J. Hammel mjhammel at graphics-muse.org
Thu Jan 26 16:13:37 MST 2017

Does anyone have a concise set of steps for dropping a self-signed cert
in .pem format onto CentOS 7 so libCurl will use it?

I've tried following the directions for update-ca-trust by dropping the
file in the following directories, one at time


And then running

    update-ca-trust extract

after each.  Then I run a C client that uses libCurl, but I always get

* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* Server certificate:
*       subject: CN=xxx,OU=xxx,O=xxx,L=Colorado
*       start date: Jan 26 22:51:10 2017 GMT
*       expire date: Jan 24 22:51:10 2027 GMT
*       common name: xxx
*       issuer: CN=xxx,OU=xxx,O=xxx,L=Colorado Springs,ST=Colorado,C=US
* Issuer certificate is invalid.

(xxx are redacted fields).  The same cert works on Debian, which has a
much simpler process: just drop the file in /etc/ssl/certs.  Does a
cert generated on Debian have to be regenerated on CentOS?   I didn't
think so but who knows.

Michael J. Hammel <mjhammel at graphics-muse.org>

More information about the LUG mailing list