How do you add a certificate authority (CA) to Ubuntu?

certificate ubuntu trusted-root-certificates

My work has decided to issue their own certificate authority (CA) to handle different aspects of our work securely without paying for certificates.

  • Cryptographically sign emails
  • Encrypt email contents
  • Make access to things like the company IRC client-certificate based.
  • Revoke the keys of former employees automatically

They sent me a .pem file, and I'm not sure how to add it to my Ubuntu install. The instructions sent were: "Double-clicking on it on a Mac should install it." 

How do I proceed? Do I need to do something with OpenSSL to create a .key, .csr, or .crt file?


Solution 1:

Installing a CA

Copy your certificate in PEM format (the format that has ----BEGIN CERTIFICATE---- in it) into /usr/local/share/ca-certificates and name it with a .crt file extension.

Then run sudo update-ca-certificates.

Caveats: This installation only affects products that use this certificate store. Some products may use other certificate stores; if you use those products, you'll need to add this CA certificate to those other certificate stores, too. (Firefox Instructions, Chrome Instructions, Java Instructions)

Testing The CA

You can verify if this worked by looking for the certificate that you just added in /etc/ssl/certs/ca-certificates.crt (which is just a long list of all of your trusted CA's concatenated together).

You can also use OpenSSL's s_client by trying to connect to a server that you know is using a certificate signed by the CA that you just installed.

$ openssl s_client -connect foo.whatever.com:443 -CApath /etc/ssl/certs

CONNECTED(00000003)
depth=1 C = US, ST = Virginia, O = "Whatever, Inc.", CN = whatever.com, emailAddress = [email protected]
verify return:1
depth=0 C = US, ST = Virginia, L = Arlington, O = "Whatever, Inc.", CN = foo.whatever.com
verify return:1
---
Certificate chain
 0 s:/C=US/ST=Virginia/L=Arlington/O=Whatever, Inc./CN=foo.whatever.com
   i:/C=US/ST=Virginia/O=Whatever, Inc./CN=whatever.com/[email protected]

... snip lots of output ...

    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1392837700
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)

The first thing to look for is the certificate chain near the top of the output. This should show the CA as the issuer (next to i:). This tells you that the server is presenting a certificate signed by the CA you're installing.

Second, look for the verify return code at the end to be set to 0 (ok).

Solution 2:

man update-ca-certificates:

update-ca-certificates  is a program that updates the directory /etc/ssl/certs to hold SSL
certificates  and  generates  ca-certificates.crt,  a  concatenated  single-file  list  of
certificates.

It  reads  the  file  /etc/ca-certificates.conf.  Each  line  gives  a  pathname  of  a CA
certificate under /usr/share/ca-certificates that should be  trusted.   Lines  that  begin
with  "#"  are  comment lines and thus ignored.  Lines that begin with "!" are deselected,
causing the deactivation of the CA certificate in question. Certificates must have a  .crt
extension in order to be included by update-ca-certificates.

Furthermore  all  certificates  with  a  .crt  extension  found below /usr/local/share/ca-
certificates are also included as implicitly trusted.

From the above, I would infer that the preferred way to get local certificate files into the trusted store is to put them into /usr/local/share/ca-certificates, and then run update-ca-certificates. You do not need to touch /etc/ssl/certs directly.

Solution 3:

The other answers regarding update-ca-certificates are correct for applications that read from the system certificate store. For Chrome and Firefox, and probably some others, the certificate must be put in the nssdb, the backend for the Mozilla NSS library.

From https://code.google.com/p/chromium/wiki/LinuxCertManagement:

For example, to trust a root CA certificate for issuing SSL server certificates, use

certutil -d sql:$HOME/.pki/nssdb -A -t "C,," -n <certificate nickname> -i <certificate filename>

Where <certificate nickname> is arbitrary, and <certificate filename> is your .pem or .crt file.

Other helpful references:

  • General description: https://wiki.archlinux.org/index.php/Network_Security_Services
  • certutil man page, describing the parameters used above: https://developer.mozilla.org/en-US/docs/NSS_reference/NSS_tools_:_certutil

Solution 4:

I had same issue, and I had to copy the .pem file to /usr/local/share/ca-certificates, renaming it as .crt. The .cer file can easily be converted to .pem, with openssl, for example, if you don't have the .pem.

After copying the file you must execute sudo update-ca-certificates.

Related

How do I get an entire directory in sftp?
Way to avoid ssh connection timeout & freezing of GNOME Terminal
My cat sat on my laptop, now the right side of my keyboard types the wrong characters
How to search inside files on Windows 7?
How to show the current column in the statusbar in vim?
Delete all lines in Notepad++ except lines containing a word I need?
Why should I use Vagrant instead of just VirtualBox?
Is there a list of Windows special directories/shortcuts (like %TEMP%)?
Why is Google so much faster than a hard-drive search?
Mouse pointer moving on arrow keys pressed
Combine one image + one audio file to make one video using FFmpeg
How do you gunzip a file and keep the .gz file?