Use update-ca-trust! Or update-ca-certificates.

Don’t just append the /etc/ssl/certs/ca-certificates.crt or the /etc/ssl/certs/ca-bundle.crt.

Not long ago, I thought that it didn’t matter. I figured since the update-ca-trust command just updated the bundle, I might as well skip a step and go directly. I was wrong. Don’t do it. I guess that’s why people actually have processes and directions to follow.

The files are not meant to be edited manually. They are generated by the update-ca-trust or update-ca-certificates commands, which scan the /etc/pki/ca-trust/source/anchors or /usr/local/share/ca-certificates directories for custom CAs, and then concatenate them with the system CAs into a single file. If you edit these files directly, your changes will be overwritten the next time these commands are run. This could mean that your changes would not survive a patching if the ca-certificates package is updated.

The reason why you want to put the certificate issuers in /etc/pki/ca-trust/source/anchors/ or /etc/ssl/certs/ and use the update-ca-trust enable/extract commands is so that it can survive an update. If someone decides to patch the machine and there are other certificates being updated, the one that you appended to the bundle will get deleted.

Follow the process! For me, that’s basically:

1. Copy your custom CA file (in PEM format) to the /etc/pki/ca-trust/source/anchors directory on Red Hat-based systems, or the /usr/local/share/ca-certificates directory on Debian-based systems. Make sure the file has a .crt extension.
2. Run the update-ca-trust or update-ca-certificates command as root. This will regenerate the /etc/ssl/certs/ca-certificates.crt or the /etc/ssl/certs/ca-bundle.crt file with your custom CA included.
3. Restart any services or applications that use SSL/TLS connections, such as web servers, browsers, curl, etc. They should now trust your custom CA.

AIX notes … ipfilter, unzip, zlib, openssh, openssl

I had the privilege of experiencing AIX for the very first time this week. Hopefully this can save someone else time.

Some packages that aren’t installed by default that you might want include openssl, openssh, unzip, zlib, and IPFilter.

I would probably start with openssl/openssh. In AIX 7.2, you can do it in the OS installer. To do it outside of the installer, keep the installation cd in and run the following commands:

mount -V cdrfs -o ro /dev/cd0 /mnt
cd /mnt/usr/sys/inst.images/
installp -ac -Y -d . openssh.base openssl.base openssl.man.en_US openssh.man.en_US
lssrc -s sshd
umount /mnt

The default partitions aren’t big enough! Fortunately, it’s very easy to extend the partitions. You can do so with the following commands:

chfs -a size=+4G /opt
chfs -a size=+4G /var
chfs -a size=+4G /home
chfs -a size=+4G /usr
chfs -a size=+2G /tmp
chfs -a size=+4G /admin

Installing 3rd party software:

You can download unzip from:  https://public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ppc/unzip/unzip-6.0-3.aix6.1.ppc.rpm. You can install it with “rpm -i” just like in Linux. Another open for unzipping files without unzip is using jar. You can run “jar -xvf” on a file and it can unzip it as well.

If you need the zlib library, you can get it from:  https://public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ppc/zlib/zlib-1.2.11-1.aix6.1.ppc.rpm.

You can install IPFilter from https://www-01.ibm.com/marketing/iwm/iwm/web/reg/pick.do?source=aixbp. It will require a login, but not a serial number. Just create a login and download. Installing IPFilter is a little different. It installs like an AIX package, with installp. Unzip the contents of the IPFilter_Fileset.zip and go into the IPFilter_Fileset directory and run the following commands:

inutoc .
installp -ac -gXY -d. ipfl