Go to main content

Managing Encryption and Certificates in Oracle® Solaris 11.4

Exit Print View

Updated: May 2021

How to Add a Certificate to the Oracle Solaris CA Keystore

Before You Begin

You must assume the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.

  1. Verify that the CA certificate is legitimate.

    Check with the issuer of the CA certificate directly.

    Caution  - Do not rely on verification from an entity that did not issue the CA certificate. Do not install invalid CA certificates on your system that your software would treat as trustworthy.

  2. Strip extra text from the certificate.

    Remove any text that surrounds the "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" lines. Some applications are not able to handle the extra text.

  3. Verify that the certificate is not corrupt.

    For example, display the text of a certificate by using the openssl command.

    # openssl x509 -noout -text -in Example_Root_CA.pem

    The output should display the issuer, owner (Subject/DN), validity dates, signature algorithm, and public key, among other information.

  4. Verify that the certificate file is world-readable.

    If it is not, use the chmod command to make the file world-readable.

    # chmod a+r Example_Root_CA.pem; ls -l Example_Root_CA.pem
    -rw-r--r--   1 root   sys    1500 Sep  10 10:10 Example_Root_CA.pem
  5. Copy the certificate to the /etc/certs/CA directory.

    For example:

    # cp -p Example_Root_CA.pem /etc/certs/CA/
  6. Restart the ca-certificates service.
    # /usr/sbin/svcadm restart /system/ca-certificates

    The service adds the certificate to the /etc/certs/ca-certificates.crt file and adds a hashed link in the /etc/openssl/certs directory.

  7. Verify that the CA certificate service has restarted.

    When the service restarts, it processes your new CA certificate.

    $ svcs -x ca-certificates
    svc:/system/ca-certificates:default (CA Certificates Service)
     State: online since 10:10:10 2017
       See: openssl(5)
       See: /var/svc/log/system-ca-certificates:default.log
    Impact: None.


If the service hasn't started, the certificate could be corrupt or could be a duplicate of an existing CA certificate. Look for error messages in the log file listed in the svcs -x command output. Also check the /system/volatile/system-ca-certificates:default.log file.