About three weeks ago I tried to export a public key certificate X along with the certificate of the CA that signs X, by adding "-chain" switch to "openssl pkcs12 -export -out del.pkcs12 -in newcert.pem -inkey newkey.pem". However, I got an error: Error unable to get local issuer certificate getting chain.

I knew that the error should be related to the fact that the CA certificate was not listed in the OpenSSL's trusted CA certificate database because I created the CA certificate myself using "/usr/lib/ssl/misc/CA.pl". So, I googled the error and found an answer in http://www.mail-archive.com/openssl-users@openssl.org/msg08153.html that basically says that the DB is simply in the form of a directory named "certs".

Since I remembered that "CA.pl" was stored in "/usr/lib/ssl/misc/", I browsed the parent directory hoping to see something that has to do with "certs". And, yes, I found "certs" in the parent directory as a symbolic link to "/etc/ssl/certs/".

Further information as to how to put the CA certificate into the DB, I found in the man page of OpenSSL's "verify" specifically the explanation on "-CApath directory". This led to the "-hash" option of OpenSSL's "x509" giving a final command: openssl x509 -hash -in demoCA/cacert.pem.

To conclude, in GNU/Linux Ubuntu Jaunty, OpenSSL stores its trusted CA certificates in directory /etc/ssl/certs/ and a new CA certificate can be put inside it after the name of the certificate file is renamed to the hash value obtained from "openssl x509 -hash -in CA_CERT_FILE" suffixed with ".0".

PS: Just before posting this blog, I tried to google the title of my blog and landed on a more comprehensive guideline http://gagravarr.org/writing/openssl-certs/others.shtml#ca-openssl that gives a list of OpenSSL trusted CA certificate DB directories in various platforms as well as cleverly using "-noout" switch to the x509 command to only produce the hash of the CA certificate to be inserted into the DB without any trailing data.