Unknown CA in WSL2 (Ubuntu as example)

unknown-ca-in-ubuntu-wsl2.md

How to check that CA certificate is untrasted under WSL2 (Ubuntu) and fix it

1. Check that certificate is untrusted under WSL2

   HOST=abc.foo.cloud # or another
   openssl s_client -connect ${HOST}:443 -showcerts
   

   Result:

     CONNECTED(00000003)
     depth=0 O = Foo Technology, OU = ITDPL, CN = *.foo.cloud
     verify error:num=20:unable to get local issuer certificate
     verify return:1
     depth=0 O = Foo Technology, OU = ITDPL, CN = *.foo.cloud
     verify error:num=21:unable to verify the first certificate
     verify return:1
     ...
   

   Take in account sentenses: unable to get local issuer certificate, unable to verify the first certificate

2. Find CA Certificate in Windows Open certmgr.msc and navigate to Доверенные корневые центры сертификации -> Сертификаты -> Foo Technology CA (here Foo Technology CA is arbitary name). Open it and save as *.cer in base64, named as example as foo.cer

3. Convert to pem format

openssl x509 -in ./foo.cer -out ./foo.pem

4. Add certificate to Ubuntu store

sudo mkdir /usr/local/share/ca-certificates/foo
sudo cp ./foo.pem /usr/local/share/ca-certificates/foo/foo.crt
sudo update-ca-certificates

5. Check the result:

openssl s_client -connect ${HOST}:443 -showcerts

Result:

CONNECTED(00000003)
depth=1 DC = com, DC = foo, CN = Foo Technology CA
verify return:1
depth=0 O = Foo Technology, OU = ITDPL, CN = *.foo.cloud
verify return:1
...