SSL Cert Location

Hello Team , like to know where to slick the SSL cert in the rocky Linux 9 OS and update it.

Best location for certs:


for private key:


No Luck… it didn’t go thought it.

Define “it” and how you have configured “it” to use a SSL certificate.

Our ORG has released the SSL cert in order to use the internet , this SSL cert will help go though the firewall… the SSL cert is working fine other LINUX platform like ubuntu / centos .

Doesn’t really make sense, unless these are internally generated and require to be trusted. In which case perhaps putting them in /etc/pki/ca-trust/source/anchors and run update-ca-trust.

Otherwise just dropping a certificate on a system isn’t going to work - it would require additional configuration. You would need to explain in far greater detail how this is supposed to work for people to help you. Like maybe explain what you did on Ubuntu for it to work, or what you did on CentOS - since CentOS will work the same for Rocky pretty much in terms of instructions to follow.

But try the update-ca-trust and see what happens.

1 Like

Still no luck below are the commands used in Ubuntu 20.04 post this we are able to communicated to repos for updates FYI.:
$ sudo apt-get install -y ca-certificates
$ sudo cp local-ca.crt /usr/local/share/ca-certificates
$ sudo update-ca-certificates

So the equivalent in EL distributions is to put them in /etc/pki/ca-trust/source/anchors and then run update-ca-trust for trusting internal CA’s.

Still the same, when i try to update same error , after SSL cert copied and updated.

sudo dnf update
Rocky Linux 9 - BaseOS 0.0 B/s | 0 B 00:05
Errors during downloading metadata for repository ‘baseos’:

  • Curl error (35): SSL connect error for list?arch=x86_64&repo=BaseOS-9 [error:0A000152:SSL routines::unsafe legacy reneg otiation disabled]
    Error: Failed to download metadata for repo ‘baseos’: Cannot prepare internal mi rrorlist: Curl error (35): SSL connect error for mirrorlist?arch=x86_64&repo=BaseOS-9 [error:0A000152:SSL routines::unsafe legacy renegotiation disabled]

After what is being said in this thread it is not fully clear to me if the certificate is “just” a CA certificate or a client certificate used for authentication and on which layer the authentication is supposed to take place.

There is such a thing like 802.1x

If your Infrastructure is using it, the following link may help

But If you want to use the certificate just for dnf as client certificate with the https protocol then you probably want to configure the yum/dnf. Maybe (personally I have not used client certificates with dnf) something like the following:


put that in your repo config or even into /etc/yum.conf

however, the “unsafe legacy renegotiation disabled” message could hint towards some SSL Incompatibility with your firewall.

error:0A000152:SSL routines::unsafe legacy renegotiation disabled

Seems this is the problem. Legacy certificate. How has the certificate been generated? RSA 2048? SHA1? Something else?

This post suggests a solution: Curl Panics unsafe legacy renegotiation disabled - #4 by svenc56

I looked up the history: it seems that vijay’s firewall does not implement rfc 5746 [1] which fixed CVE 2009-3555 [2]. It’s not the certificate that’s wrong. I also found an old Article from RedHat with fixes for RHEL 3,4,5 [3]. This is an fairly old issue from 2009/2010. What other weaknesses could be found in such a firewall?

[1] RFC 5746: Transport Layer Security (TLS) Renegotiation Indication Extension
[2] CVE - CVE-2009-3555
[3] Is Red Hat affected by TLS renegotiation MITM attacks (CVE-2009-3555)? - Red Hat Customer Portal

1 Like

Good suggestion! I found that folder, I wish Rocky admin could have an article about this.