This is probably a very bad idea, but I wrote this script to download and trust the Root CA on Arch Linux.
It’s VERY IMPORTANT that you read and understand scripts online before copy/pasting and executing them on your own machine. This script grabs the Root CA Certificate for backend.beammp.com and installs it as a Trusted Root CA on your machine.
What does this mean? It means if anyone malicious has access to that Root CA, they can generate SSL certificates and trick your machine into thinking the site is trustworthy when its actually not.
Use this at your own risk!
EXPAND: Shell Script
To use it, throw it in a file (in my case, I named it ~/bin/trust-beammp) and give it execute permissions:
chmod +x ~/bin/trust-beammp
Then run it as follows:
~/bin/trust-beammp
You only ever have to run this once and then you never have to run it again!
#!/usr/bin/env bash
set -euo pipefail
DOMAIN="backend.beammp.com"
PORT="443"
# Create workspace
TMPDIR=$(mktemp -d)
trap 'rm -rf "$TMPDIR"' EXIT
CHAIN="$TMPDIR/chain.pem"
ROOT="$TMPDIR/root-ca.pem"
# Fetch the full chain
openssl s_client \
-showcerts \
-servername "$DOMAIN" \
-connect "${DOMAIN}:${PORT}" \
</dev/null \
> "$CHAIN" 2>/dev/null
# Count how many certificate blocks there are
BLOCKS=$(grep -c -- "-----BEGIN CERTIFICATE-----" "$CHAIN")
# Extract only the last one
awk -v target="$BLOCKS" '
/-----BEGIN CERTIFICATE-----/ { ++n; capture = (n==target) }
capture { print }
' "$CHAIN" > "$ROOT"
# Sanity-check it's really a CA
if ! openssl x509 -noout -text -in "$ROOT" \
| grep -q "CA:TRUE"; then
echo "Warning: extracted cert does not claim CA:TRUE" >&2
fi
# Install into trust anchors
sudo cp "$ROOT" /etc/ca-certificates/trust-source/anchors/"${DOMAIN}.pem"
# Rebuild the system bundles
sudo trust extract-compat
echo "Root CA for ${DOMAIN}:${PORT} installed and trusted."