How to install certificates for command line

So in school we need to install a certificate to access https sites. In firefox, I can import the certificate. However, I can’t do so with the command line. For example, running git push I get:

fatal: unable to access 'https://github.com/user/repo': server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none

How do I import a certificate to remove this? The import must be able to authenticate for me. Also, it is a .cer file, so the answer for .crt will not work. Also, I do not want steps on how to setup git, as I already have. I want to know if it is possible to do that. Or can I just disable authentication with the git command totally and make it ignore certificates like what the answer here says? Also, I do not want the webpage to load, I have set firefox to do that. I want the git push command to give the standard output like:

[master 630d087] message
 1 file changed, 93 insertions(+), 80 deletions(-)
 rewrite somefile (84%)
Counting objects: 9, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (4/4), done.
Writing objects: 100% (5/5), 978 bytes | 0 bytes/s, done.
Total 5 (delta 2), reused 0 (delta 0)
To https://github.com/User/Repo.git
   851ae39..630d087  master -> master

Note: I found out its git config --global http.sslverify false. But I would like to see an answer for everything, not just a git hack

To access a website with https, whether you are using a CLI or GUI browser, you don’t need your shool certificate.

To use git via http(s) you need to register your public key in your profile settings on GitHub.

More infos here. Change your GitHub profile here.


Try this:

sudo apt-get install w3m
w3m https://github.com/

… works without an additionally certificate.

Answered By: A.B.

Extensions .crt, .pem and .cer are interchangeable, just change the file name extension, they have the same form. Try this:

$ sudo cp mycert.cer /usr/share/ca-certificates/mycert.pem
$ sudo dpkg-reconfigure ca-certificates
$ sudo update-ca-certificates
$ git config --global http.sslCAInfo /usr/share/ca-certificates/mycert.pem
Answered By: Mike

TL;DR

For everything to work and not only your browser, you need to add that CA certificate to the system’s trusted CA repository.

In ubuntu:

  • Go to /usr/local/share/ca-certificates/
  • Create a new folder, i.e. "sudo mkdir school"
  • Copy the .crt file into the school folder
  • Make sure the permissions are OK (755 for the folder, 644 for the file)
  • Run "sudo update-ca-certificates"

Why

Let me explain what is going on also, so the other posters see why they don’t need any certificate to use Github over HTTPS.

What is going on there is that your school is intercepting all the SSL communications, probably in order to monitor them.

To do that, what they do is in essence a "man in the middle" attack, and because of that, your browser complains rightfully that it is not being able to verify github’s certificate. Your school proxy is taking out github’s cert and instead providing its own cert.

When your browser tries to verify the school’s provided cert against the CA that signed github’s cert, it rightfully fails.

So, for the SSL connection to work in the school, you need to consciously accept that "MITM" attack. And you do that by adding the school’s CA certificate as a trusted one.

When you trust that school CA, your verification of the fake github cert will work, since the fake github cert will be verified by the school CA.

Be aware that SSL connection is not safe anymore since your school administrator will be able to intercept all your encrypted connections.

Answered By: Telegrapher

The ca-certificates package has the instructions in its README.Debian:

If you want to install local certificate authorities to be implicitly trusted, please put the certificate files as single files ending with .crt into /usr/local/share/ca-certificates/ and re-run
update-ca-certificates.

Note that it mentions a directory different from the other answers here:

/usr/local/share/ca-certificates/

After copying into /usr/local/share/ca-certificates/ you can then update the cert’s permissions and run sudo update-ca-certificates as mentioned in Telegraphers answer. You will see in the output that the cert was added.

Answered By: Robert Siemer

I use the following compilation of previous answers:

sudo -i
echo | openssl s_client -showcerts -servername site.example.com -connect example.com:443 2>/dev/null | awk '/-----BEGIN CERTIFICATE-----/, /-----END CERTIFICATE-----/' >> /usr/local/share/ca-certificates/ca-certificates.crt 
update-ca-certificates

Often both site.example.com and example.com are the same hostnames.

Answered By: Tomilov Anatoliy

I was having a similar problem where installing the certificate in firefox and google chrome worked but Updating in terminal sudo apt-get update was not working and giving 403 Forbidden IP errors.
I was too having a sample.cer file. So basically I have to convert it to .crt first.

sudo openssl x509 -inform DER -in sample.cer -out sample.crt

Still while doing sudo dpkg-reconfigure ca-certificates I couldn’t find the required certificate.
The problem with me is that I was copying the certificate at the wrong place.

Instead of copying it at $/usr/share/ca-certificates I was copying it at $/usr/local/share/ca-certificates
But by placing it in the right place solved my problem.
But I’m still not able to update the packages or install new packages.

Quick fix (for me on):

Use of ftp instead of http

sudo sed -i s/http/ftp/ /etc/apt/sources.list && apt-get update

and above command worked.
Please make a copy of sources.list file before making the changes.

If anything is not clear or not proper please do correct me.

Answered By: Gopal Sharma

I read all solutions and solved like this;

sudo openssl x509 -inform DER -in certificate.cer -out certificate.crt

sudo mv certificate.crt /usr/share/ca-certificates/

cd /usr/share/ca-certificates

sudo chmod 644 certificate.crt

sudo dpkg-reconfigure ca-certificates

sudo update-ca-certificates
Answered By: Kadir Y.