Go to main content

Managing Encryption and Certificates in Oracle® Solaris 11.3

Exit Print View

Updated: December 2018

Adding CA Certificates to the Oracle Solaris CA Keystore

Oracle Solaris provides a keystore for Certificate Authority (CA) certificate files. To manage the keystore, you restart the SMF ca-certificates service after you add or remove certificates from the keystore.

X.509 certificates contain an RSA public key and the key's signer ("CN" or "Subject"). The key and signer verifies that some file or object was signed with the key holder's private key. CA certificates are issued by well-known organizations to verify that a certificate is legitimate and that the public key in the certificate can be trusted.

Oracle Solaris keeps the CA certificates in the /etc/certs/CA directory. Hashed links to the CA certificates are in the /etc/openssl/certs directory to enable fast lookup and access, typically by OpenSSL. Usually, each filename in the /etc/certs/CA directory is the certificate holder's CN with spaces replaced by underscores ("_") and appended with a .pem extension. For example, the file /etc/certs/CA/ExampleCo-_G3.pem contains the certificate for CN "ExampleCo Class 4 Public Primary Certification Authority - G3".

If you need to verify a certificate with a CA certificate that is missing, you can add the certificate manually. See How to Add a CA Certificate to the Oracle Solaris CA Keystore.

How to Add a CA Certificate to the Oracle Solaris CA Keystore

Before You Begin

You must assume the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.

  1. Verify that the CA certificate is legitimate.

    Check with the issuer of the CA certificate directly.


    Caution  -  Do not rely on verification from an entity that did not issue the CA certificate. Do not install invalid CA certificates on your system that your software would treat as trustworthy.

  2. Strip extra text from the certificate.

    Remove any text that surrounds the "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" lines. Some applications are not able to handle the extra text.

  3. Verify that the certificate is not corrupt.

    For example, display the text of a certificate by using the openssl command.

    # openssl x509 -noout -text -in Example_Root_CA.pem

    The output should display the issuer, owner (Subject/DN), validity dates, signature algorithm, and public key, among other information.

  4. Verify that the certificate file is world-readable.

    If it is not, use the chmod command to make the file world-readable.

    # chmod a+r Example_Root_CA.pem; ls -l Example_Root_CA.pem
    -rw-r--r--   1 root   sys    1500 Sep  10 10:10 Example_Root_CA.pem
  5. Copy the certificate to the /etc/certs/CA directory.

    For example:

    # cp -p Example_Root_CA.pem /etc/certs/CA/
  6. Restart the ca-certificates service.
    # /usr/sbin/svcadm restart /system/ca-certificates

    The service adds the certificate to the /etc/certs/ca-certificates.crt file and adds a hashed link in the /etc/openssl/certs directory.

  7. Verify that the CA certificate service has restarted.

    When the service restarts, it processes your new CA certificate.

    $ svcs -x ca-certificates
    svc:/system/ca-certificates:default (CA Certificates Service)
     State: online since Sun Sept 10 10:10:10 2016
       See: openssl(5)
       See: /var/svc/log/system-ca-certificates:default.log
    Impact: None.


If the service hasn't started, the certificate could be corrupt or could be a duplicate of an existing CA certificate. Look for error messages in the log file listed in the svcs -x command output. Also check the /system/volatile/system-ca-certificates:default.log file.