How do I install a root certificate?

Question

Can anyone point me to a good tutorial on installing a root certificate on Ubuntu?

I've been provided with a .crt file. I gather that need to create a directory at /usr/share/ca-certificates/newdomain.org and place the .crt in that directory. Beyond that I'm not sure how to proceed.

Answer 1

Given a CA certificate file foo.crt, follow these steps to install it on Ubuntu:

1. Create a directory for extra CA certificates in /usr/local/share/ca-certificates:

   sudo mkdir /usr/local/share/ca-certificates/extra
   

2. Copy the CA .crt file to this directory:

   sudo cp foo.crt /usr/local/share/ca-certificates/extra/foo.crt
   

3. Let Ubuntu add the .crt file's path relative to /usr/local/share/ca-certificates to /etc/ca-certificates.conf:

   sudo dpkg-reconfigure ca-certificates
   

   To do this non-interactively, run:

   sudo update-ca-certificates
   

In case of a .pem file on Ubuntu, it must first be converted to a .crt file:

openssl x509 -in foo.pem -inform PEM -out foo.crt

Or a .cer file can be converted to a .crt file:

openssl x509 -inform DER -in foo.cer -out foo.crt

Answer 2

Given a CA certificate file 'foo.crt', follow these steps to install it on Ubuntu:

First, copy your CA to dir /usr/local/share/ca-certificates/

sudo cp foo.crt /usr/local/share/ca-certificates/foo.crt

then, update CA store

sudo update-ca-certificates

That's all. You should get this output:

Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d....
Adding debian:foo.pem
done.
done.

No file is needed to edit. Link to your CA is created automatically.

Please note that the certificate filenames have to end in .crt, otherwise the update-ca-certificates script won't pick up on them.

This procedure works also in newer versions: manuals.

Answer 3

Clarification between update-ca-certificates and dpkg-reconfigure ca-certificates and why one works and the other does not!!

• update-ca-certificates or sudo update-ca-certificates will only work if /etc/ca-certificates.conf has been updated.

• /etc/ca-certificate.conf is only updated once you ran dpkg-reconfigure ca-certificates which updates the certificate names to be imported into /etc/ca-certificates.conf.

This is stated in the header of the /etc/ca-certificates.conf file:

# This file lists certificates that you wish to use or to ignore to be
# installed in /etc/ssl/certs.
# update-ca-certificates(8) will update /etc/ssl/certs by reading this file.
#
# This is autogenerated by dpkg-reconfigure ca-certificates.  <=======
# Certificates should be installed under /usr/share/ca-certificates
# and files with extension '.crt' is recognized as available certs.
#
# line begins with # is comment.
# line begins with ! is certificate filename to be deselected.
#
mozilla/ACCVRAIZ1.crt
mozilla/AC_RAIZ_FNMT-RCM.crt
mozilla/Actalis_Authentication_Root_CA.crt
mozilla/AddTrust_External_Root.crt
...

As you can see, the format in /etc/ca-certificates.conf is <folder name>/<.crt name>

So in order to use update-ca-certificates or sudo update-ca-certificates you could do the following to import a .crt:

1. Create a directory for extra CA certificates in /usr/share/ca-certificates:

    sudo mkdir /usr/share/ca-certificates/extra
   

2. Copy the .crt file to this directory:

    sudo cp foo.crt /usr/share/ca-certificates/extra/foo.crt
   

3. Append a line to /etc/ca-certificates.conf using <folder name>/<.crt name>:

    echo "extra/foo.crt" | sudo tee -a /etc/ca-certificates.conf
   

4. Update certs non-interactively with sudo update-ca-certificates

    $ sudo update-ca-certificates
    ...
    Updating certificates in /etc/ssl/certs...
    1 added, 0 removed; done.
   

Answer 4

Install a Certificate Authority on Ubuntu

I have tested this on Ubuntu 14.04.

Here is my solution, I looked and looked for a long time trying to figure out how to get this to work.

1. Extract the .cer from browser. I used IE 11.
   • Settings -> Internet Options -> Intermediate Certificate Authorities
   • Select The Certificate Authority You Want To Export (certutil -config - -ping will show you the ones you are using if you are behind a corporate proxy)
   • Export -> Select The Format You Want To Use: DER Encoded .cer
2. Get the .cer files to Ubuntu somehow
3. Convert to .crt openssl x509 -inform DER -in certificate.cer -out certificate.crt
4. Make extra directory sudo mkdir /usr/share/ca-certificates/extra
5. Copy certificates over sudo cp certificate.crt /usr/share/ca-certificates/extra/certificate.crt
6. sudo update-ca-certificates
7. If not, then you have to do what I did, go to sudo nano /etc/ca-certificates.conf
8. Scroll down and find your .cer and remove the ! from in front of the file name (update-ca-certificates doc) - if you don't find your certificate run dpkg-reconfigure ca-certificates
9. Run sudo update-ca-certificates
10. You may need to individually trust the CAs from Firefox, Chrome, etc.. , I needed it to work with Docker so after these steps it worked with Docker.

Answer 5

Other answers didn't work for me with Ubuntu 18.04. Append the certificate cert to /etc/ssl/certs/ca-certificates.crt using the following command:

cat YOUR_CERT_HERE.crt >> /etc/ssl/certs/ca-certificates.crt 

Answer 6

Have the (root / CA) certificate available on a web server, local to your network if you like.

• Browse to it with Firefox.
• Open the cert and tell Firefox to add it as an exception.
• Firefox will ask you whether you want to trust this certificate for identifying websites, for e-mail users or for software publishers.
• Enjoy!

Update: It will be necessary to check if this works on Ubuntu 11. I've realised that I just did this on Ubuntu 12.04 LTS.

Answer 7

Here are the simple steps:

1. Install CA certificates to allow SSL-based applications to check for the authenticity of SSL connections:

   sudo apt-get install ca-certificates
   

2. Copy certificate file (crt or .cer) into /usr/local/share/ca-certificates/ folder, e.g.:

   sudo cp file.crt /usr/local/share/ca-certificates/
   

   For PEM file, see: Convert .pem to .crt and .key.

   Optionally, if using Charles proxy, this command can work:

   curl -L chls.pro/ssl | sudo tee /usr/local/share/ca-certificates/charles.crt
   

3. Update certificates:

   sudo update-ca-certificates
   

   The command will update /etc/ssl/certs directory to hold SSL certificates and generates ca-certificates.crt file (a concatenated single-file list of certificates).

   Note: Don't add certificates manually (as suggested here), as they are not persistent and going to be removed.

^{Note: If you're running as root, you can drop the sudo from the above commands.}

Answer 8

To add a Root CA certificate in FireFox is now-a-days very easy. Just open preferences, go to "Privacy & Security", scroll down to "Certificates" and click "View Certificates...". Here you can click "Import Certificate". Point to your root CA (.pem) and OK. That's all folks.

Answer 9

From here:

Installing the Certificate

You can install the key file example.key and certificate file example.crt, or the certificate file issued by your CA, by running following commands at a terminal prompt:

sudo cp example.crt /etc/ssl/certs
sudo cp example.key /etc/ssl/private

Now simply configure any applications, with the ability to use public-key cryptography, to use the certificate and key files. For example, Apache can provide HTTPS, Dovecot can provide IMAPS and POP3S, etc.