Root-certificate-deployment

How to add trusted Root-Certificates

How-to: Adding trusted root certificates to the SO (Win / MAC / Unix).

Feel totally free to edit this page to add another operating systems!
How-to list all available ssl CA certificates in Linux.
 Arch , Debian, Ubuntu
awk -v cmd=openssl x509 -noout -subject   /etc/ssl/certs/ca-certificates.crt

 Red-Hat, Fedora, CentOS
awk -v cmd=openssl x509 -noout -subject   /etc/ssl/certs/ca-bundle.crt

 Centos 5
awk -v cmd=openssl x509 -noout -subject   /etc/pki/tls/certs/ca-bundle.crt

Mac OS X

Double click on the certificate is usually enough. It can be done from the console too.

Add

sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /new-root-certificate.crt

Remove

Windows

Add

certutil -addstore -f  new-root-certificate.crt

Remove

certutil -delstore  serial-number-hex

Ubuntu, Debian, Arch

Add (Option 1)

sudo cp foo.crt /usr/local/share/ca-certificates/foo.crt    Option 1.
sudo cp foo.crt /usr/share/ca-certificates/foo.crt          Option 2.

Update the CA store:

sudo update-ca-certificates   Option 1.
trust extract-compat         Option 2.

Add (Option 2)

Copy your CA to dir /etc/ca-certificates/trust-source/anchors/

cp foo.crt /etc/ca-certificates/trust-source/anchors/

Update the CA store:

Remove

sudo update-ca-certificates --fresh

Suse

Add

Copy your CA to dir /etc/pki/trust/anchors/

sudo cp foo.crt /etc/pki/trust/anchors/foo.crt

Update the CA store:

sudo update-ca-certificates

CentOs > 6.X

Add

Install the ca-certificates package:

yum install ca-certificates

Enable the dynamic CA configuration feature:

update-ca-trust force-enable

Add it as a new file to /etc/pki/ca-trust/source/anchors/:

cp foo.crt /etc/pki/ca-trust/source/anchors/
update-ca-trust extract

CentOs < 5.X

Add

Append your trusted certificate to file /etc/pki/tls/certs/ca-bundle.crt

Solaris

Solaris-specific Solaris keeps the CA certs in «/etc/certs/CA/».
Hashed links to the CA certs are in «/etc/openssl/certs/» for fast lookup and access (usually by OpenSSL).

By convention, but not required, the filenames in «/etc/certs/CA» is the cert holder’s CN with spaces replaced by underscores («_») and appended with a .pem file name extension. For example, file «/etc/certs/CA/foo.pem» contains the cert for CN «VeriSign Class 4 Public Primary Certification Authority — G3».

Add

Make or verify the cert is world-readable, if not already.

chmod a+r foo.pem ls -l foo.pem

Copy the cert to directory «/etc/certs/CA».

cp -p foo.pem /etc/certs/CA/

Install he cert into «/etc/certs/ca-certificates.crt» and add a hashed link in «/etc/openssl/certs/».

/usr/sbin/svcadm restart /system/ca-certificates

Verify

Verify the CA cert service has restarted (and processed your new CA cert).

/usr/sbin/svcs /system/ca-certificates

If the service hasn’t started it could be the cert is corrupt or is a duplicate of an existing CA cert. Look for error messages in files «/var/svc/log/system-ca-certificates:default.log» and «/system/volatile/system-ca-certificates:default.log»


Firefox Browser

Firefox has its own certificate store.

JVM / Java Keystore

Java uses the popular «Java KeyStore (JKS)», it does not use the trusted-root-certificates of the operating system.

Links of interest​ (Acrobat, Android, etc)

How can I trust CAcert’s root certificate?: http://wiki.cacert.org/FAQ/ImportRootCert

How to add trusted Root-Certificates

How-to: Adding trusted root certificates to the SO (Win / MAC / Unix).

Feel totally free to edit this page to add another operating systems!
How-to list all available ssl CA certificates in Linux.
 Arch , Debian, Ubuntu
awk -v cmd=openssl x509 -noout -subject   /etc/ssl/certs/ca-certificates.crt

 Red-Hat, Fedora, CentOS
awk -v cmd=openssl x509 -noout -subject   /etc/ssl/certs/ca-bundle.crt

 Centos 5
awk -v cmd=openssl x509 -noout -subject   /etc/pki/tls/certs/ca-bundle.crt

Mac OS X

Double click on the certificate is usually enough. It can be done from the console too.

Add

sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /new-root-certificate.crt

Remove

Windows

Add

certutil -addstore -f  new-root-certificate.crt

Remove

certutil -delstore  serial-number-hex

Ubuntu, Debian, Arch

Add (Option 1)

sudo cp foo.crt /usr/local/share/ca-certificates/foo.crt    Option 1.
sudo cp foo.crt /usr/share/ca-certificates/foo.crt          Option 2.

Update the CA store:

sudo update-ca-certificates   Option 1.
trust extract-compat         Option 2.

Add (Option 2)

Copy your CA to dir /etc/ca-certificates/trust-source/anchors/

cp foo.crt /etc/ca-certificates/trust-source/anchors/

Update the CA store:

Remove

sudo update-ca-certificates --fresh

Suse

Add

Copy your CA to dir /etc/pki/trust/anchors/

sudo cp foo.crt /etc/pki/trust/anchors/foo.crt

Update the CA store:

sudo update-ca-certificates

CentOs > 6.X

Add

Install the ca-certificates package:

yum install ca-certificates

Enable the dynamic CA configuration feature:

update-ca-trust force-enable

Add it as a new file to /etc/pki/ca-trust/source/anchors/:

cp foo.crt /etc/pki/ca-trust/source/anchors/
update-ca-trust extract

CentOs < 5.X

Add

Append your trusted certificate to file /etc/pki/tls/certs/ca-bundle.crt

Solaris

Solaris-specific Solaris keeps the CA certs in «/etc/certs/CA/».
Hashed links to the CA certs are in «/etc/openssl/certs/» for fast lookup and access (usually by OpenSSL).

By convention, but not required, the filenames in «/etc/certs/CA» is the cert holder’s CN with spaces replaced by underscores («_») and appended with a .pem file name extension. For example, file «/etc/certs/CA/foo.pem» contains the cert for CN «VeriSign Class 4 Public Primary Certification Authority — G3».

Add

Make or verify the cert is world-readable, if not already.

chmod a+r foo.pem ls -l foo.pem

Copy the cert to directory «/etc/certs/CA».

cp -p foo.pem /etc/certs/CA/

Install he cert into «/etc/certs/ca-certificates.crt» and add a hashed link in «/etc/openssl/certs/».

/usr/sbin/svcadm restart /system/ca-certificates

Verify

Verify the CA cert service has restarted (and processed your new CA cert).

/usr/sbin/svcs /system/ca-certificates

If the service hasn’t started it could be the cert is corrupt or is a duplicate of an existing CA cert. Look for error messages in files «/var/svc/log/system-ca-certificates:default.log» and «/system/volatile/system-ca-certificates:default.log»

Дополнительно:  Не работает мышка на ноутбуке: почему и что делать – WindowsTips.Ru. Новости и советы

Firefox Browser

Firefox has its own certificate store.

JVM / Java Keystore

Java uses the popular «Java KeyStore (JKS)», it does not use the trusted-root-certificates of the operating system.

Links of interest​ (Acrobat, Android, etc)

How can I trust CAcert’s root certificate?: http://wiki.cacert.org/FAQ/ImportRootCert

How-To: Root CA certificate integration for Linux and Windows

If you manage your own corporate or private Certificate Authority (CA), sooner or later you’ll want to deploy the root CA’s certificate on your Linux and Windows clients. This little How-To guides you through the process of deploying your root certificate.

Assumption: Your root CA’s certificate is existent as root.cert.pem

Linux

System

sudo mkdir /usr/local/share/ca-certificates/extra
sudo cp root.cert.pem /usr/local/share/ca-certificates/extra/root.cert.crt
sudo update-ca-certificates

The system trust store ist used by most basic tools such as wget and curl

Browsers

Browsers will trust your CA after a restart.

Windows

System

Manually

Screencast

Via Active Directory

You can install new root certificates for every Windows domain participant via ActiveDirectory.

Browsers

Chrome, Vivaldi, Opera, Edge, Internet Explorer

These browsers are using the Windows trust store and accept the certificate by default if it was installed into the Windows trust store before.

Firefox

Firefox uses it’s own trust store and therefore doesn’t accept the Root CA even if Windows does. You can manually import the root certificate in the Firefox settings or enable experimental Windows trust store support:

Copy the file firefox-windows-truststore.js to Firefox’s C:\Program Files (x86)\Mozilla Firefox\defaults\pref directory.

Root Certificates are embedded within our operating system all around. These are also known as Trusted Root Certificates, created by the Certificate Authority (CA), accrediting that a website or software

Root Certificates are embedded within our operating system all around. These are also known as Trusted Root Certificates, created by the Certificate Authority (CA), accrediting that a website or software is who they claim they are. It is more like a digital certificate of authentication

By default, Windows 11 updates its root certificate over the internet through Windows Update at least once a week through a Trusted Root Certificate List (CTL). However, if your device is not connected to the internet, certificates will likely expire over time, thus causing certain scripts and applications to not function properly, or experience problems while browsing the internet.

Let us help you avoid this problem by showing you how to update your system’s Root Certificates.

Before we begin, let us guide you on how to see and manage the Root Certificates on Windows 11 and find out which certificates are expired or about to expire.

View trusted root certificates using the Certificate MMC

Windows comes with various Management Consoles that are used for managing different aspects of the operating system. One of these consoles is the Certificate Management Console.

  1. Start by typing in mmc.exe in Run to launch Microsoft Management Console.
  2. From the top menu, click File and then click Add/remove snap-in.
    add remove snapin
  3. From the pop-up window, select Certificates under “Available Snap-ins” and then click Add.
    certificates add
  4. In the next window, select Computer account and click Next.
    computer account
  5. Leave the default setting on the next page and click Finish.
    finish 1
  6. Back in the Add/Remove Snap-in window, click OK.
  7. Now, on the console, navigate to the following using the left pane:
    Certificates (Local Computer) >> Trusted Root Certification Authorities >> Certificates
    expand certificates

Here, you can view all the active and expired Root Certificates on your machine in the middle pane. It also states CA under the “Issued by” column, as well as the expiry date in another column.

View trusted root certificates using Windows PowerShell

Get-Childitem cert:\LocalMachine\root |format-list
pwsh view certs
View all certificates in PowerShell
Get-ChildItem cert:\LocalMachine\root | Where {$_.NotAfter -lt (Get-Date).AddDays(40)}
View expired certificates in PowerShell
View expired certificates in PowerShell

Now that you know how to manage the Root Certificates, let us update them.

Update root certificates from a remote computer

One way to update the Root Certificate(s) is to copy a valid certificate from another computer that is already installed, and then re-install it on your device. The process is simple as Windows is already equipped to export and import Root Certificates. However, to do this, make sure that both the source and the destination operating systems are the same.

We have divided this method into “Exporting a Root Certificate” and “Importing a Root Certificate” for your convenience.

Export Root Certificates

  1. Open the Certificate Management Console on the source computer (as discussed earlier in this post).
  2. From there, right-click on the certificate that you want to move to another device, expand All Tasks from the context menu, and then click Export.
    export context
  3. The Certificate Export Wizard will now be open. On the welcome screen, click Next.
  4. Click Next on the next screen while leaving the default settings.
    export next
  5. On the next screen, click Browse and save the .cer file with a name of your choice, then click Next.
    browse next
  6. On the final screen, confirm the settings and click Finish. Then click Ok on the confirmation dialog box.

You will now see the exported .cer file at the destination you chose in step 5. Copy this file onto a USB flash drive and plug it into the target system for the Root Certificate to be installed.

Import Root Certificates

  1. Open the Certificate Management Console on the source computer and navigate to the Certificates folder from the left pane.
  2. Right-click Certificates, expand All Tasks, and click Import from the context menu.
    import context
  3. On the welcome screen of Certificate Import Wizard, click Next.
  4. Click Browse on the next screen and select the .cer file which has been exported from another computer, then click Next.
    import browse next
  5. Now select “Automatically select the certificate store based on the type of certificate” and click Next.
    auto select certificate location
  6. On the final screen of the wizard, click Finish.

The certificate will now be updated on your computer which you can see through the Certificate Management Console.

Another way to install this exported certificate is directly through the .cer file. Double-click the .cer file to launch it. From the certificate, click Install Certificate.

install certificate
Install certificate

The Certificate Import Wizard will now be launched. From there, select Local Machine as the Store Location and then click Next.

local machine next
Import for local machine

The remaining steps for importing the certificate are the same as we had discussed above.

From an SST File

Serialized Certificate Store Format (SST) files are certificates created directly from a CA. An SST file contains certificates used to authenticate the identities of websites, apps, and programs.

The SST file can be downloaded on demand from Microsoft using Windows Update so you may have all the latest certificates at once.

Let us show you how to download the file, and then discuss different methods to install it.

Download Latest Root Certificates for Windows

cd /d "PathToFolder"

This is where the SST file will be downloaded. Replace PathToFolder with the complete path of the empty folder, as in the example below.

cd
Change directory
certutil.exe -generateSSTFromWU roots.sst
Download SST file
Download SST file

You will now find that the SST file has been downloaded. This file contains all the latest Root Certificates. You can now install them all at once, or one-by-one (only the ones that are required).

Install All Certificates using SST File

Once you open the downloaded roots.sst file, you will see that it holds many certificates. In our case, it holds 436 files. These can all be installed instantly using Windows PowerShell. Here is how:

  1. Open PowerShell with administrative privileges.
  2. Now run the following command while replacing CertPath with the complete path to the downloaded SST file:
    $sstStore = ( Get-ChildItem -Path <em>CertPath</em>\roots.sst)
  3. Next, paste the following command to import all the certificates on your PC:
    $sstStore | Import-Certificate -CertStoreLocation Cert:\LocalMachine\Root
    Import all certificates

You will now find that the certificates have been imported to your machine from the downloaded SST file. You can verify this through the Certificate Management Console.

Install Individual Root Certificates using SST File

Another method to install the Root Certificates from an SST file is one-by-one. This may take a while, but the method can only be used when you wish to install specific certificates.

To do so, run the SST file by double-clicking on it. It will open in an identical console to MMC. From there, you can export a certificate and then import it on the local machine using the method we have already discussed above.

Alternatively, you can also double-click on the certificate and install it directly.

SST file
SST file

From an STL File

Serialized Certificate Trust List (STL) files also contain Root Certificates, but the file formatting is different than an SST file. Microsoft maintains an STL file you can download to obtain the latest Root Certificates for your Windows. The STL is updated twice a month.

Download Latest STL File

Once downloaded, extract its content using a third-party compression/decompression tool. The extracted folder should now contain only one STL file. You may then proceed to import the file using Command Line Interface (CLI).

cd /d "PathToExtracted"
cd 2
Navigate to extracted directory
certutil -addstore -f root authroot.stl
certutil2
Import STL file

You can now confirm that the latest certificates have been installed using the Certificate Management Console.

Final Thoughts

Although it may not seem like it, a Root Certificate is essential for your daily work on a PC, as it is making authorization handshakes and trust with other components in the background while you continue with your work.

However, once a certificate has expired, it can be safely deleted, as it is no longer valid. That said, we recommend that you install a new, valid certificate in its place before removing the old one.

on

Root-certificate-deployment

Adding custom root CA certificates to Debian is rather easy, but there are some non-obvious pitfalls that you might encounter. Here I’ve tried to collect most things to a single post for your convenience.

Adding Custom Root CA Certificates

But for claritys sake, I recommend that you create a subdirectory for each CA which makes things easier to keep track off.

sudo mkdir /usr/local/share/ca-certificates/my-custom-ca

Then copy your root CA certificate into the folder you just created.
Debian only supports certificates in the X509 form, aka. .crt, so if your certificate is in the .cer format, see my guide on how to convert it below.

sudo cp rootCA.crt /usr/local/share/ca-certificates/my-custom-ca/

Then you’ll need to run the update-ca-certificates command to make Debian load the certificates into it’s Trusted Root Certificate Store.

sudo update-ca-certificates

You should see an output similar to this

Updating certificates in /etc/ssl/certs...
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.

Converting Certificates to .crt

Sometimes you’ll run into the problem that the root CA certificate that has been provided to you isn’t in the .crt format, but instead in the similar but not quite equivalent .cer format. Converting them is however quite easy using OpenSSL, just make sure that you use the full filepath for the .cer certificate.

openssl x509 -inform PEM -in <fullfilepath>/certificate.cert -out certificate.crt

Removing Custom Root CA Certificates

Removing your custom root CA certificate is even simpler, just delete the certificate from the folder you created earlier, and then ask Debian to update the CA certificate store, but completely this time

sudo update-ca-certificates --fresh

Categories: linux, Tech

От корневых сертификатов в системе может зависеть правильная работа при обращении к ресурсам, которые работают по зашифрованному каналу связи. Если данные сертификаты устареют, мы можем столкнуться с рядом проблем:

  • Не открываются или выдают предупреждение безопасности некоторые (или все) сайты, работающие по https.
  • Некорректная работа отдельных приложений.
  • Ошибки при подключении по ssh.

Установка пакета из репозитория
Установка загруженного пакета
Ручная настройка
Пример ручной настройки корневого сертификата от Let’s Encrypt
Дополнительные ссылки

Это пример ошибок, который не претендует на свою полному. Чаще всего, проблемы встречаются на системах, снятых с обслуживания.

Установка из репозитория

Самый простой способ, который нужно попробовать, установить сертификаты из официального репозитория системы. В зависимости от ее типа, наши команды будут немного отличаться.

а) для систем на базе DEB (Debian, Ubuntu, Mint):

apt install ca-certificates

б) для систем на базе RPM (Rocky Linux, CentOS):

yum install ca-certificates

Если нам повезет и в репозитории будут обновленные корневые центры, наша работа закончена. Иначе, устанавливаем сертификаты вручную.

Загрузка пакета с сертификатами

Установка из репозитория может не дать нужного эффекта, если в нем находятся не самые свежие сертификаты или наша система сильно устарела или не имеет выхода в Интернет.

В этом случае нам нужно загрузить пакет с корневыми сертификатами вручную. Разберем пример на системе Ubuntu. В официальном репозитории или в поисковой системе находим пакет для загрузки, например, по ссылке ftp.ru.debian.org/debian/pool/main/c/ca-certificates копируем ссылку на файл с последней версией сертификатов, и загружаем его на наш компьютер:

Полученный пакет устанавливаем в системе:

dpkg -i ca-certificates_*_all.deb

И обновляем корневые сертификаты:

Установка вручную

Выше рассмотрены самые удобные способы обновления корневых сертификатов. Но если у нас есть сертификат без пакета, то нам его нужно будет установить вручную.

Принцип данной установки сводится к двум шагам:

  1. Положит файл с сертификатом в определенный каталог.
  2. Запустить команду для импорта сертификата.

В зависимости от типа Linux, действия будут отличаться.

а) Для Deb (Debian / Ubuntu / Astra Linux)

б) Для RPM (Rocky Linux / РЕД ОС)

Копируем файл в каталог /etc/pki/ca-trust/source/anchors:

cp /foo/bar/cert.crt /etc/pki/ca-trust/source/anchors/

Ручная установка Let’s Encrypt

Мы можем столкнуться с ситуацией, когда в предоставляемых официальных пакетах не окажется обновленного сертификата. Например, на момент написания данной инструкции у систем на базе Deb не оказалось нового сертификата для Let’s Encrypt, а старый закончил свое действие 30 сентября 2021 года.

В данном случае, мы можем установить любой нужный нам сертификат руками. Для этого скачала находим его и копируем — приведем пример с Let’s Encrypt. На странице letsencrypt.org/ru/certificates мы можем увидеть ссылки на корневые сертификаты. Допустим, нам нужен Let’s Encrypt Authority X3 (Signed by ISRG Root X1), который доступен по ссылке letsencrypt.org/certs/letsencryptauthorityx3.pem.txt. Копируем последовательность и создаем файл на компьютере:

——BEGIN CERTIFICATE——
MIIFjTCCA3WgAwIBAgIRANOxciY0IzLc9AUoUSrsnGowDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTYxMDA2MTU0MzU1
WhcNMjExMDA2MTU0MzU1WjBKMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDEjMCEGA1UEAxMaTGV0J3MgRW5jcnlwdCBBdXRob3JpdHkgWDMwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCc0wzwWuUuR7dyXTeDs2hjMOrX
NSYZJeG9vjXxcJIvt7hLQQWrqZ41CFjssSrEaIcLo+N15Obzp2JxunmBYB/XkZqf
89B4Z3HIaQ6Vkc/+5pnpYDxIzH7KTXcSJJ1HG1rrueweNwAcnKx7pwXqzkrrvUHl
Npi5y/1tPJZo3yMqQpAMhnRnyH+lmrhSYRQTP2XpgofL2/oOVvaGifOFP5eGr7Dc
Gu9rDZUWfcQroGWymQQ2dYBrrErzG5BJeC+ilk8qICUpBMZ0wNAxzY8xOJUWuqgz
uEPxsR/DMH+ieTETPS02+OP88jNquTkxxa/EjQ0dZBYzqvqEKbbUC8DYfcOTAgMB
AAGjggFnMIIBYzAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADBU
BgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEBATAwMC4GCCsGAQUFBwIB
FiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQub3JnMB0GA1UdDgQWBBSo
SmpjBH3duubRObemRWXv86jsoTAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3Js
LnJvb3QteDEubGV0c2VuY3J5cHQub3JnMHIGCCsGAQUFBwEBBGYwZDAwBggrBgEF
BQcwAYYkaHR0cDovL29jc3Aucm9vdC14MS5sZXRzZW5jcnlwdC5vcmcvMDAGCCsG
AQUFBzAChiRodHRwOi8vY2VydC5yb290LXgxLmxldHNlbmNyeXB0Lm9yZy8wHwYD
VR0jBBgwFoAUebRZ5nu25eQBc4AIiMgaWPbpm24wDQYJKoZIhvcNAQELBQADggIB
ABnPdSA0LTqmRf/Q1eaM2jLonG4bQdEnqOJQ8nCqxOeTRrToEKtwT++36gTSlBGx
A/5dut82jJQ2jxN8RI8L9QFXrWi4xXnA2EqA10yjHiR6H9cj6MFiOnb5In1eWsRM
UM2v3e9tNsCAgBukPHAg1lQh07rvFKm/Bz9BCjaxorALINUfZ9DD64j2igLIxle2
DPxW8dI/F2loHMjXZjqG8RkqZUdoxtID5+90FgsGIfkMpqgRS05f4zPbCEHqCXl1
eO5HyELTgcVlLXXQDgAWnRzut1hFJeczY1tjQQno6f6s+nMydLN26WuU4s3UYvOu
OsUxRlJu7TSRHqDC3lSE5XggVkzdaPkuKGQbGpny+01/47hfXXNB7HntWNZ6N2Vw
p7G6OfY+YQrZwIaQmhrIqJZuigsrbe3W+gdn5ykE9+Ky0VgVUsfxo52mwFYs1JKY
2PGDuWx8M6DlS6qQkvHaRUo0FMd8TsSlbF0/v965qGFKhSDeQoMpYnwcmQilRh/0
ayLThlHLN81gSkJjVrPI0Y8xCVPB4twb1PFUd2fPM3sA1tJ83sZ5v8vgFv2yofKR
PB0t6JzUA81mSqM3kxl5e+IZwhYAyO0OTg3/fs8HqGTNKd9BqoUwSRBzp06JMg5b
rUCGwbCUDI0mxadJ3Bz4WxR6fyNpBK2yAinWEsikxqEt
——END CERTIFICATE——

Открываем на редактирование файл:

И добавляем в него строку с указанием на созданный файл:

Но в моем случае был прописан также файл с устаревшим сертификатом — указание на него нужно закомментировать:

После чего обновить сертификаты:

* опция fresh позволит не только добавить, но и удалить всего того, что нет в конфигурационном файле. Для нас это необходимо, чтобы убрать устаревший сертификат.

Мы должны увидеть что-то на подобие:

Читайте также

Также может быть полезным:

1. Ручное обновление корневых сертификатов на Windows.

2. Получение бесплатного SSL сертификата Let’s Encrypt.

Install-root-certificate-in-Windows

Root certificates are public-key certificates that help your system determine if a website or program is genuine and is based on whether the licensing authority is trusted and whether the digital certificate remains valid.

There are many certificate authorities, among which the most famous are Symantec® and Comodo®. And their root certificates are always freely available for download.

Windows has built-in certificates and automatically renews them. However, you can still optionally manually add additional root certificates to Windows from trusted certificate authorities (CAs).

This is just done in a few steps. The method is suitable for all versions of Windows.

  1. On the downloaded root certificate file, right-click and select the ‘Install Certificate’. In the window that opens, the installation wizard press ‘Next’.

    A screenshot of a computerDescription automatically generated

    A screenshot of a computerDescription automatically generated

  2. Next, you need to choose the right place to import – Trusted Root Certification Authorities.

    A screenshot of a cell phoneDescription automatically generated

    A screenshot of a cell phoneDescription automatically generated

  3. Then just continue the proposed steps of the wizard.

    A screenshot of a cell phoneDescription automatically generated

    A screenshot of a computerDescription automatically generated

  4. As a result, you need to confirm the installation of our certificate.

    A screenshot of a computerDescription automatically generated

    A screenshot of a cell phoneDescription automatically generated

Now all is done. Websites and programs authenticated by this root certificate will now work fine.


There are many good ways and many bad ways to install ROOT on a machine. Here are two of the good methods. In this method, any number of root versions can be build and install in the same machine.

Update (2021-05-05): The first method is preferred now.  However, one might opt the second method for the older versions of root (before v5.36.34).

Note: Sudo power is not needed for installation of ROOT except in the case of installing the prerequisites.

Warning: Newer ROOT versions requires active internet connection to build.

Execute the command mentioned bellow. That is all. The commands are self-explanatory.

  1. Install the ROOT Prerequisites compatible with your machine. It looks like the following for Ubuntu.
    sudo apt-get install dpkg-dev cmake g++ gcc binutils libx11-dev libxpm-dev libxft-dev libxext-dev python libssl-dev gfortran libpcre3-dev xlibmesa-glu-dev libglew1.5-dev libftgl-dev libmysqlclient-dev libfftw3-dev libcfitsio-dev graphviz-dev libavahi-compat-libdnssd-dev libldap2-dev python-dev libxml2-dev libkrb5-dev libgsl0-dev libqt4-dev
  2. Execute the commands mentioned bellow in a terminal.
    cd

    mkdir products (if not created earlier)

    mkdir ROOT (it not created earlier)

    wget https://root.cern/download/root_v6.22.08.source.tar.gz (or whichever you like from Downloading ROOT Site)

    rm -rf root_v6.22.08 (if already present)tar -zxvf root_v6.22.08.source.tar.gz

    mv root-6.22.08 root_v6.22.08

    make -j2 (change '2' to any number less than the available CPU cores)

    rm -rf root_v6.22.08-build

  3. At this point, the machine doesn’t know the location of the ROOT installation. There are two ways to set the ROOT environent. The first way is to add the following to the .bashrc file.
    # For ROOT
    export ROOTSYS=/home/maxi/products/ROOT/root_v6.22.08/
    export PATH=$ROOTSYS/bin:$PATH
    export LD_LIBRARY_PATH=$ROOTSYS/lib/:$LD_LIBRARY_PATH
    source /home/maxi/products/ROOT/root_v6.22.08/bin/thisroot.sh
  4. Open a new terminal. Execute root -l. You should see the root prompt now.
  5. One might build and install any number of ROOT versions in the ROOT directory. Just replace the directory path in the .bashrc file and you are good to go with the preferred version.
  1. Some packages need to be installed prior to install ROOT. These packages can be found on the Build Prerequisites Site. Search for the Operating System on which your PC is running. I recommend to install both the Required Packages and Optional Packages. Just copy the command line into a terminal. It should look like thisRoot-certificate-deployment
  2. Download any stable version (not PRO or DEV) of Source distribution (i.e. root_vX.XX.XX.source.tar.gz) from Downloading ROOT Site.

  3. Copy the ROOT Source file into this directory. Extract the source file using the following command.
    $ tar -zxvf root_vX.XX.XX.source.tar.gz
    One directory/folder containing the required files will be created. The file name should be root_vX.XX.XX, otherwise rename it. Then go to root_vX.XX.XX directory. Execute pwd command in the terminal. It should look like this.
    /home/maxi/products/root_vX.XX.XX
    If it is not then you are in wrong directory.
  4. Use the following command to configure the ROOT installation.
    $ ./configure
  5. After finishing the process, run the following command.
    $ make -jN
    where N is the number of thread(s)/core(s) on which you want to run the process. If you have a quad-core PC then use 3 (i.e. make -j3).
  6. Then try the next command.
    $ make install
    If everything goes fine then this message should come up on the terminal.
    Everything already installed!
    “source bin/thisroot.[c]sh”
  7. Now open a new terminal. Open the .bashrc file in any editor and add the following lines at the end of the file. Do not forget to modify the user name and version before adding the lines to .bashrc file. Save the file.
    # For ROOT
    export ROOTSYS=/home/user/products/root/root_vX.XX.XX
    export PATH=$ROOTSYS/bin:$PATH
    export LD_LIBRARY_PATH=$ROOTSYS/lib/:$LD_LIBRARY_PATH
  8. Open a new terminal. Execute root. The root prompt should open. It means that you have successfully installed root on your system.
  9. Now, I will not use this root prompt to execute any program. I prefer to make executables with c++ using only the specific classes required.
    So, execute .q on the terminal and it will make you out of the root prompt.

Дополнительно:  Как восстановить удаленные файлы на android без root
Оцените статью
Master Hi-technology
Добавить комментарий