Quartz sync: Jan 11, 2026, 4:26 PM
Some checks failed
Build and Push Quartz Wiki / build-and-push (push) Failing after 45s
Some checks failed
Build and Push Quartz Wiki / build-and-push (push) Failing after 45s
This commit is contained in:
vorpax
@@ -0,0 +1,116 @@
|
||||
---
|
||||
title: Trust a certificate from a private local certificate authority
|
||||
publish: true
|
||||
date: 2026-01-11
|
||||
tags:
|
||||
- guide
|
||||
- step-ca
|
||||
- runbook
|
||||
description:
|
||||
---
|
||||
|
||||
# Trust a certificate from a private local certificate authority
|
||||
|
||||
## Overview
|
||||
|
||||
Make your device trust your private CA for TLS encryption.
|
||||
|
||||
## Prerequisites
|
||||
|
||||
- A local CA running (in our case step-ca) and reachable at `CA_URL`, for instance `https://local-ca.homelab.internal:443`
|
||||
- An end device with access to a normal shell (*eww, Powershell*).
|
||||
- very basic understanding of what a PKI is and how certificate trust works.
|
||||
|
||||
|
||||
### Initial problem
|
||||
|
||||
When doing
|
||||
|
||||
```bash
|
||||
curl $CA_URL
|
||||
```
|
||||
|
||||
you get :
|
||||
|
||||
```
|
||||
curl: (60) SSL certificate problem: unable to get local issuer certificate
|
||||
More details here: https://curl.se/docs/sslcerts.html
|
||||
|
||||
curl failed to verify the legitimacy of the server and therefore could not
|
||||
establish a secure connection to it. To learn more about this situation and
|
||||
how to fix it, please visit the webpage mentioned above.
|
||||
```
|
||||
|
||||
Which is normal as your root Certificate authority uses a self-signed certificate.
|
||||
|
||||
## Steps
|
||||
|
||||
### Step 1: Setup
|
||||
|
||||
If not already done, install step cli on your end-device :
|
||||
|
||||
```bash
|
||||
brew install step
|
||||
```
|
||||
|
||||
refer to official documentation https://smallstep.com/docs/step-ca/installation/ for additional installation details for your OS.
|
||||
|
||||
### Step 2 : get CA fingerprint
|
||||
|
||||
`CA_FINGERPRINT` is the fingerprint of your root certificate.
|
||||
|
||||
If you don't have any other device than Step CA with the CA configured, run
|
||||
|
||||
Inside of your host/container running step CA (or any client with step ca already configured)
|
||||
|
||||
```bash
|
||||
step certificate fingerprint <(step ca root)
|
||||
```
|
||||
|
||||
### Step 3: Bootstrap cert
|
||||
|
||||
You'll need to run :
|
||||
|
||||
```bash
|
||||
step ca bootstrap --ca-url $CA_URL --fingerprint $CA_FINGERPRINT
|
||||
```
|
||||
|
||||
|
||||
where `CA_URL` is the address of the CA with protocol
|
||||
|
||||
### Step 3 : Install certificate
|
||||
|
||||
|
||||
```bash
|
||||
step certificate install <(step ca root)
|
||||
```
|
||||
|
||||
|
||||
### Step 4: Verification
|
||||
|
||||
In most modern distributions and *UNIX* derivatives, curl (particularly when installed by default) is configured to run with the system trust store
|
||||
|
||||
Now after running
|
||||
|
||||
```bash
|
||||
curl $CA_URL
|
||||
```
|
||||
|
||||
you get
|
||||
|
||||
`404 page not found`
|
||||
|
||||
Which is completely fine.
|
||||
|
||||
### You successfuly installed a certificate.
|
||||
|
||||
## References
|
||||
|
||||
- https://smallstep.com/docs/step-ca/installation/
|
||||
- Related resources
|
||||
|
||||
|
||||
|
||||
---
|
||||
|
||||
*Created: 2026-01-11*
|
||||
Reference in New Issue
Block a user