Fixing CA & Local Certificate Issues

TL;DR

This guide helps you troubleshoot problems with Certificate Authorities (CAs) and local certificates in your applications or system. We’ll cover common causes, checking certificate validity, adding trusted CAs, and dealing with self-signed certificates.

1. Understanding the Problem

Certificate errors usually mean your computer doesn’t trust the website or service you’re trying to connect to. This can happen for a few reasons:

• Expired Certificate: The certificate has reached its end date.
• Untrusted CA: Your system doesn’t recognise the authority that issued the certificate.
• Self-Signed Certificate: A certificate created by the service itself, not a recognised CA (common in development environments).
• Incorrect Date/Time: If your computer’s clock is wrong, it can cause validation errors.

2. Checking Certificate Validity

First, let’s check the certificate details to see what’s going on.

1. In a Web Browser: Click the padlock icon in your browser’s address bar. Select ‘Certificate’ or similar (the exact wording varies by browser). Look at the ‘Valid from’ and ‘Valid to’ dates.
2. Using OpenSSL (command line):

   openssl s_client -connect example.com:443

   This will output a lot of information, including the certificate chain. Look for ‘Validity’ to see the dates.

3. Adding Trusted Certificate Authorities (CAs)

If the CA isn’t trusted, you need to add it to your system’s trust store. The process varies depending on your operating system:

• Windows:
  1. Download the CA certificate (usually a .crt or .pem file).
  2. Double-click the file.
  3. Click ‘Install Certificate’.
  4. Select ‘Local Machine’ and click ‘Next’.
  5. Choose ‘Place all certificates in the following store’ and browse to ‘Trusted Root Certification Authorities’.
• macOS:
  1. Double-click the CA certificate file.
  2. The Keychain Access app will open.
  3. Select the ‘System’ keychain.
  4. Double-click the certificate in Keychain Access.
  5. Expand ‘Trust’.
  6. Change ‘When using this certificate:’ to ‘Always Trust’.
• Linux (Debian/Ubuntu):

  sudo cp ca-certificate.crt /usr/local/share/ca-certificates/

  sudo update-ca-certificates

4. Dealing with Self-Signed Certificates

Self-signed certificates are common in development, but browsers will warn you because they aren’t verified by a trusted CA.

• Temporary Trust (Browser): Most browsers allow you to add an exception for the self-signed certificate. Be careful doing this – only do it for sites you trust!
• Add to Trust Store: You can also add self-signed certificates to your system’s trust store, similar to adding a CA (see step 3). However, this is generally not recommended for production environments.

5. Check System Date and Time

An incorrect date or time on your computer can cause certificate validation failures.

• Windows: Right-click the clock in the system tray, select ‘Adjust date/time’. Ensure it’s set to automatically sync with an internet time server.
• macOS: System Preferences > Date & Time. Enable ‘Set date and time automatically’.
• Linux: Use a command like timedatectl status to check the current time, and sudo timedatectl set-ntp true to enable network time synchronization.

6. Application Specific Configuration

Some applications (like Python with requests or Node.js) have their own ways of handling certificates.

• Python (requests): You can specify a path to your CA bundle using the verify parameter:

  import requests
  response = requests.get('https://example.com', verify='/path/to/your/ca-bundle.pem')

• Node.js: You can set the NODE_EXTRA_CA_CERTS environment variable to point to a file containing trusted CA certificates.

  NODE_EXTRA_CA_CERTS=/path/to/your/ca-bundle.pem node your-script.js