How to install website certificates on Linux

https://linuxkamarada.com/en/2018/10/30/how-to-install-website-certificates-on-linux/#.YJAl96L7RH5

How to install website certificates on Linux

Oct 30, 2018 23

Have you ever visited a website and your browser adverted you that your connection is not secure or private?

Understand what’s going on

When you visit a website that uses secure connection (web address starting with https), your communication is encrypted to help ensure your privacy. Before establishing connection, the website presents to the browser a security certificate identifying itself.

Anyone can create a certificate claiming to be whoever they want. But usually website certificates are issued and signed by certificate authorities (CA’s), which also have their own certificates. On their turn, CA’s certificates may be self-signed (in the case of a company’s internal CA) or signed by other CA’s so forth up to a root certificate authority (root CA). This chain of certificates is called the certificate hierarchy.

Root CA’s are public, well known and trusted organizations, such as the American FCPCA or the Brazilian ICP-Brasil. Usually root CA’s certificates are previously known by browsers.

When you visit an HTTPS website, the browser checks that its certificate is valid and the certificate hierarchy ends on a known CA certificate. If that checking succeeds, the browser displays a green lock icon near the address bar, indicating the website you are visiting is actually the website that it claims to be. You are safe to stay on it, enter passwords, provide credit card numbers and send or receive other sensitive data. Always look for the green lock icon when accessing banking or shopping websites.

When you visit an HTTPS website, but the certificate checking does not succeed, the browser adverts you that your connection is not secure or private. If that is the case, you need to proceed with caution: don’t enter any sensitive information on this page. If possible, leave it.

Sometimes, the connection is not really insecure. Security alerts may appear, for example, when you visit a web system of your organization, signed by an internal CA whose certificate is not previously known by the browser. In that case, you need to manually install your organization’s CA certificate to prevent false alerts.

Also Brazilian citizens always see privacy alerts when visiting websites of the Brazilian government. Browsers don’t come with the ICP-Brasil certificate out-of-the-box because it does not comply to Mozilla security requirements, which is an 11-year old bug. So, Brazilian citizens need to manually install it. Some Brazilian public organizations have adopted workarounds: for instance, the Federal Police of Brazil sign its forms (e.g. the passport application form) with a certificate issued by Let’s Encrypt, but content-only pages (including their own home page) are not signed at all. Let’s Encrypt is an American non-profit organization that issues certificates for free for anyone and is trusted by browsers.

Install the CA certificate

Let’s see how to add a CA certificate to the Mozilla Firefox and Google Chrome browsers, so they trust certificates signed by that CA. Same instructions for Chrome apply to its open source base Chromium.

I’m going to use SIGEPE as example, which is a Brazilian government web system whose certificate is signed by ICP-Brasil, the Brazilian root CA.

In your case, the certificate you are going to install may be from your company’s internal CA. You should retrieve it with your company’s network administrator.