<div dir="ltr"><div><div><div><div><div><div><div>Hi Daiki: Your hints were right on the money. I was able to make my certificate permanent by:<br></div>1. Running "trust anchor /path/to/mycert.pem"<br></div>2. Editing "/etc/pki/ca-trust/source/mycert.p11-kit" and changing one line:<br></div>certificate-category: other-entry<br></div>to<br>certificate-category: authority<br><br></div>With that change, "trust list ..." displayed my server and update-ca-trust added my server cert to the java cacerts file.<br><br></div>Thanks so much!<br></div>Allen<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, May 25, 2017 at 9:11 AM, Daiki Ueno <span dir="ltr"><<a href="mailto:dueno@redhat.com" target="_blank">dueno@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hello,<br>
<span class=""><br>
Allen Barnett <<a href="mailto:allenbarnett5@gmail.com">allenbarnett5@gmail.com</a>> writes:<br>
<br>
> /usr/bin/p11-kit extract --format=java-cacerts --filter=ca-anchors<br>
> --overwrite --purpose server-auth $DEST/java/cacerts<br>
<br>
</span>[...]<br>
<span class=""><br>
> Is there some way I can diagnose why p11-kit extract doesn't add my<br>
> certificate to java/cacerts? I ran it under strace and it definitely<br>
> opens and reads the PEM file. So, perhaps there's something about the<br>
> certificate itself that doesn't meet some criterion of p11-kit?<br>
<br>
</span>I would suggest to check if the filter condition given to "p11-kit<br>
extract" matches your certificate, by using the "trust list" command:<br>
<br>
  trust list --filter=ca-anchors --purpose server-auth<br>
<br>
If it doesn't include your certificate, then it's likely that the<br>
certificate doesn't have sufficient attributes.  In that case, you could<br>
attach them by doing:<br>
<br>
- add the certificate using "trust anchor" command, rather than copying<br>
  the file directly into /etc/pki/ca-trust/source/<wbr>anchors.  The command<br>
  will create /etc/pki/ca-trust/source/your-<wbr>cert.p11-kit<br>
<br>
- create a file, say /etc/pki/ca-trust/source/your-<wbr>cert-trust.p11-kit,<br>
  containing a trust assertion, something like:<br>
<br>
  [p11-kit-object-v1]<br>
  class: x-trust-assertion<br>
  x-assertion-type: x-anchored-certificate<br>
  x-purpose: "1.3.6.1.5.5.7.3.1"<br>
  -----BEGIN CERTIFICATE-----<br>
  ...<br>
  -----END CERTIFICATE-----<br>
<br>
cf:<br>
<br>
<a href="http://nmav.gnutls.org/2016/06/restricting-scope-of-ca-certificates.html" rel="noreferrer" target="_blank">http://nmav.gnutls.org/2016/<wbr>06/restricting-scope-of-ca-<wbr>certificates.html</a><br>
<a href="https://p11-glue.freedesktop.org/doc/pkcs11-trust-assertions/" rel="noreferrer" target="_blank">https://p11-glue.freedesktop.<wbr>org/doc/pkcs11-trust-<wbr>assertions/</a><br>
<br>
Regards,<br>
<span class="HOEnZb"><font color="#888888">--<br>
Daiki Ueno<br>
</font></span></blockquote></div><br></div>