Before You Begin
You must assume the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.
Check with the issuer of the CA certificate directly.
Caution - Do not rely on verification from an entity that did not issue the CA certificate. Do not install invalid CA certificates on your system that your software would treat as trustworthy.
Remove any text that surrounds the "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" lines. Some applications are not able to handle the extra text.
For example, display the text of a certificate by using the openssl command.
# openssl x509 -noout -text -in Example_Root_CA.pem
The output should display the issuer, owner (Subject/DN), validity dates, signature algorithm, and public key, among other information.
If it is not, use the chmod command to make the file world-readable.
# chmod a+r Example_Root_CA.pem; ls -l Example_Root_CA.pem -rw-r--r-- 1 root sys 1500 Sep 10 10:10 Example_Root_CA.pem
# cp -p Example_Root_CA.pem /etc/certs/CA/
# /usr/sbin/svcadm restart /system/ca-certificates
The service adds the certificate to the /etc/certs/ca-certificates.crt file and adds a hashed link in the /etc/openssl/certs directory.
When the service restarts, it processes your new CA certificate.
$ svcs -x ca-certificates svc:/system/ca-certificates:default (CA Certificates Service) State: online since 10:10:10 2017 See: openssl(5) See: /var/svc/log/system-ca-certificates:default.log Impact: None.
If the service hasn't started, the certificate could be corrupt or could be a duplicate of an existing CA certificate. Look for error messages in the log file listed in the svcs -x command output. Also check the /system/volatile/system-ca-certificates:default.log file.