How do I install a root certificate?
Installing a root/CA Certificate
Given a CA certificate file foo.crt, follow these steps to install it on Ubuntu:
-
Create a directory for extra CA certificates in
/usr/local/share/ca-certificates:sudo mkdir /usr/local/share/ca-certificates/extra -
Copy the CA
.crtfile to this directory:sudo cp foo.crt /usr/local/share/ca-certificates/extra/foo.crt -
Let Ubuntu add the
.crtfile's path relative to/usr/local/share/ca-certificatesto/etc/ca-certificates.conf:sudo dpkg-reconfigure ca-certificates
To do this non-interactively, run:
sudo update-ca-certificates
In case of a .pem file on Ubuntu, it must first be converted to a .crt file:
openssl x509 -in foo.pem -inform PEM -out foo.crt
Or a .cer file can be converted to a .crt file:
openssl x509 -inform DER -in foo.cer -out foo.crt
Given a CA certificate file 'foo.crt', follow these steps to install it on Ubuntu:
First, copy your CA to dir /usr/local/share/ca-certificates/
sudo cp foo.crt /usr/local/share/ca-certificates/foo.crt
then, update CA store
sudo update-ca-certificates
That's all. You should get this output:
Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d....
Adding debian:foo.pem
done.
done.
No file is needed to edit. Link to your CA is created automatically.
Please note that the certificate filenames have to end in .crt, otherwise the update-ca-certificates script won't pick up on them.
This procedure works also in newer versions: manuals.
Clarification between update-ca-certificates and dpkg-reconfigure ca-certificates and why one works and the other does not!!
update-ca-certificatesorsudo update-ca-certificateswill only work if/etc/ca-certificates.confhas been updated./etc/ca-certificate.confis only updated once you randpkg-reconfigure ca-certificateswhich updates the certificate names to be imported into/etc/ca-certificates.conf.
This is stated in the header of the /etc/ca-certificates.conf file:
# This file lists certificates that you wish to use or to ignore to be
# installed in /etc/ssl/certs.
# update-ca-certificates(8) will update /etc/ssl/certs by reading this file.
#
# This is autogenerated by dpkg-reconfigure ca-certificates. <=======
# Certificates should be installed under /usr/share/ca-certificates
# and files with extension '.crt' is recognized as available certs.
#
# line begins with # is comment.
# line begins with ! is certificate filename to be deselected.
#
mozilla/ACCVRAIZ1.crt
mozilla/AC_RAIZ_FNMT-RCM.crt
mozilla/Actalis_Authentication_Root_CA.crt
mozilla/AddTrust_External_Root.crt
...
As you can see, the format in /etc/ca-certificates.conf is <folder name>/<.crt name>
So in order to use update-ca-certificates or sudo update-ca-certificates you could do the following to import a .crt:
-
Create a directory for extra CA certificates in /usr/share/ca-certificates:
sudo mkdir /usr/share/ca-certificates/extra -
Copy the .crt file to this directory:
sudo cp foo.crt /usr/share/ca-certificates/extra/foo.crt -
Append a line to
/etc/ca-certificates.confusing<folder name>/<.crt name>:echo "extra/foo.crt" >> /etc/ca-certificates.conf -
Update certs non-interactively with sudo update-ca-certificates
$ sudo update-ca-certificates ... Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done.