When you use TLS, you can decide to use your own certificate authority (CA). Three main reasons:
If you pick #3, you should keep reading.
In many TLS clients (curl, wget, httpie…) and libraries, you have options like cacert or capath (or similar). These options are used to trust one or many Certificate Authorities.
When you run clients with one of these options, you pass the certificate or certificates you want to trust. But this is ambiguous, let’s see why.
So if you don’t want to trust your system’s CAs and use your own CA, you should make sure that all your TLS clients will not trust the system CAs even if you pass the « right » option.
You can easily test this by generating a self-signed cert:
$ openssl req -newkey rsa:4096 -new -nodes -x509 -days 365 -out cert.pem -keyout key.pem -subj “/C=AU/ST=Victoria/L=Melbourne/O=PentesterLab/CN=pentesterlab.com”
And try to connect to a site using this certificate.
On Debian and Ubuntu, this should work:
$ curl — cacert=ca.pem https://pentesterlab.com
If you see an error message, you’re not trusted your system’s CAs (good). If you don’t see an error, you’re trusting your system’s CAs as well as ca.pem (not so good depending on your threat model).
Again not a big deal. Just something that may surprise a few people (including me).
As a developer, I kind of want that only my own CA be trusted when I use one of these options. If I want to trust my system CAs and my own CA, I will probably use different classes/functions for each use case and not mix them.