vorpax/wiki
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c11e3f4a7aea2076b6eb9b2a53e8dbfb9c57eb00
wiki/content/homelab/services/Trust a certificate from a private local certificate authority.md
vorpax c11e3f4a7a
Some checks failed
Build and Push Quartz Wiki / build-and-push (push) Failing after 45s
Details
Quartz sync: Jan 11, 2026, 4:26 PM
2026-01-11 16:26:42 +01:00

2.3 KiB
Raw Blame History

title, publish, date, tags, description
title publish date tags description
Trust a certificate from a private local certificate authority true 2026-01-11
guide
step-ca
runbook

Trust a certificate from a private local certificate authority

Overview

Make your device trust your private CA for TLS encryption.

Prerequisites

  • A local CA running (in our case step-ca) and reachable at CA_URL, for instance https://local-ca.homelab.internal:443
  • An end device with access to a normal shell (eww, Powershell).
  • very basic understanding of what a PKI is and how certificate trust works.

Initial problem

When doing

curl $CA_URL

you get :

curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the webpage mentioned above.

Which is normal as your root Certificate authority uses a self-signed certificate.

Steps

Step 1: Setup

If not already done, install step cli on your end-device :

brew install step

refer to official documentation https://smallstep.com/docs/step-ca/installation/ for additional installation details for your OS.

Step 2 : get CA fingerprint

CA_FINGERPRINT is the fingerprint of your root certificate.

If you don't have any other device than Step CA with the CA configured, run

Inside of your host/container running step CA (or any client with step ca already configured)

step certificate fingerprint <(step ca root)

Step 3: Bootstrap cert

You'll need to run :

step ca bootstrap --ca-url $CA_URL --fingerprint $CA_FINGERPRINT

where CA_URL is the address of the CA with protocol

Step 3 : Install certificate

step certificate install <(step ca root)

Step 4: Verification

In most modern distributions and UNIX derivatives, curl (particularly when installed by default) is configured to run with the system trust store

Now after running

curl $CA_URL

you get

404 page not found

Which is completely fine.

You successfuly installed a certificate.

References

Created: 2026-01-11