Doubt about SSL Decryption

acutbal · 19 June 2025 22:24

Hello!!
I am running tests in my home lab — specifically, I want to enable SSL decryption by my Sophos firewall.

I have a root certificate (CA) in .pem format downloaded from the firewall. I need the entire system (including browsers) to trust this certificate in order to perform SSL decryption.

I’ve been researching, and I believe certificate management is done using p11-kit and the trust command.

I think this would be the correct procedure to install the .pem certificate:

sudo cp certificat.pem /etc/ca-certificates/trust-source/anchors/
sudo trust extract-compat
trust list | grep -A 10 “Sophos”

Is this correct?

Best regards and thank you very much!!

Tomek · 19 June 2025 23:22

I believe it’s simply

sudo trust anchor *certificate.crt*

https://wiki.archlinux.org/title/Transport_Layer_Security#Add_a_certificate_to_a_trust_store

acutbal · 20 June 2025 06:48

Then, should I convert the certificate from .pem to .crt or not?

Also, where should I place the certificate?

Best regards.

xabbu · 20 June 2025 07:28

The certificate should be in the PEM format, but the file extension needs to be .crt

Move the file in

/etc/ca-certificates/trust-source/anchors/

and run trust extract-compat as root or with sudo.

Also see Arch Linux - News: ca-certificates update

Keep in mind that not all programs use the system trust store. Some programs, specifically Browser, might use their own and you need to import your Certificate into these programs again.

acutbal · 21 June 2025 22:35

Hello!!
It has worked, but I had to use another certificate different than Sophos documentation specifies

Also, it hasn’t been necessary to change the extension from pem to crt.

Now, I have to add as exceptions the 1.000.000 repos from Manjaro in order to update the system!!

Thank you very much and best regards!!

system · 24 June 2025 22:36

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.