vorpax/wiki
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
v4
wiki/content/homelab/services/Trust a certificate from a private local certificate authority.md
vorpax c11e3f4a7a
Some checks failed
Build and Push Quartz Wiki / build-and-push (push) Failing after 45s
Details
Quartz sync: Jan 11, 2026, 4:26 PM
2026-01-11 16:26:42 +01:00

117 lines
2.3 KiB
Markdown
Raw Permalink Blame History

---
title: Trust a certificate from a private local certificate authority
publish: true
date: 2026-01-11
tags:
- guide
- step-ca
- runbook
description:
---
# Trust a certificate from a private local certificate authority
## Overview
Make your device trust your private CA for TLS encryption.
## Prerequisites
- A local CA running (in our case step-ca) and reachable at `CA_URL`, for instance `https://local-ca.homelab.internal:443`
- An end device with access to a normal shell (*eww, Powershell*).
- very basic understanding of what a PKI is and how certificate trust works.
### Initial problem
When doing
```bash
curl $CA_URL
```
you get :
```
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the webpage mentioned above.
```
Which is normal as your root Certificate authority uses a self-signed certificate.
## Steps
### Step 1: Setup
If not already done, install step cli on your end-device :
```bash
brew install step
```
refer to official documentation https://smallstep.com/docs/step-ca/installation/ for additional installation details for your OS.
### Step 2 : get CA fingerprint
`CA_FINGERPRINT` is the fingerprint of your root certificate.
If you don't have any other device than Step CA with the CA configured, run
Inside of your host/container running step CA (or any client with step ca already configured)
```bash
step certificate fingerprint <(step ca root)
```
### Step 3: Bootstrap cert
You'll need to run :
```bash
step ca bootstrap --ca-url $CA_URL --fingerprint $CA_FINGERPRINT
```
where `CA_URL` is the address of the CA with protocol
### Step 3 : Install certificate
```bash
step certificate install <(step ca root)
```
### Step 4: Verification
In most modern distributions and *UNIX* derivatives, curl (particularly when installed by default) is configured to run with the system trust store
Now after running
```bash
curl $CA_URL
```
you get
`404 page not found`
Which is completely fine.
### You successfuly installed a certificate.
## References
- https://smallstep.com/docs/step-ca/installation/
- Related resources
---
*Created: 2026-01-11*
Reference in New Issue View Git Blame Copy Permalink