Home / ubuntu / Questions / 73287
Accepted
Sparky1
Asked: 2011-10-29 10:01:00 +0800 CST

How do I install a root certificate?

  • 772

Can anyone point me to a good tutorial on installing a root certificate on Ubuntu?

I've been provided with a .crt file. I gather that need to create a directory at /usr/share/ca-certificates/newdomain.org and place the .crt in that directory. Beyond that I'm not sure how to proceed.

certificates

9 Answers

  1. Best Answer

    Given a CA certificate file foo.crt, follow these steps to install it on Ubuntu:

    1. Create a directory for extra CA certificates in /usr/local/share/ca-certificates:

      sudo mkdir /usr/local/share/ca-certificates/extra

    2. Copy the CA .crt file to this directory:

      sudo cp foo.crt /usr/local/share/ca-certificates/extra/foo.crt

    3. Let Ubuntu add the .crt file's path relative to /usr/local/share/ca-certificates to /etc/ca-certificates.conf:

      sudo dpkg-reconfigure ca-certificates

      To do this non-interactively, run:

      sudo update-ca-certificates

    In case of a .pem file on Ubuntu, it must first be converted to a .crt file:

    openssl x509 -in foo.pem -inform PEM -out foo.crt

    Or a .cer file can be converted to a .crt file:

    openssl x509 -inform DER -in foo.cer -out foo.crt
    • 466

  2. Given a CA certificate file 'foo.crt', follow these steps to install it on Ubuntu:

    First, copy your CA to dir /usr/local/share/ca-certificates/

    sudo cp foo.crt /usr/local/share/ca-certificates/foo.crt

    then, update CA store

    sudo update-ca-certificates

    That's all. You should get this output:

    Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d....
Adding debian:foo.pem
done.
done.

    No file is needed to edit. Link to your CA is created automatically.

    Please note that the certificate filenames have to end in .crt, otherwise the update-ca-certificates script won't pick up on them.

    This procedure works also in newer versions: manuals.

    • 256

  3. Clarification between update-ca-certificates and dpkg-reconfigure ca-certificates and why one works and the other does not!!

    • update-ca-certificates or sudo update-ca-certificates will only work if /etc/ca-certificates.conf has been updated.

    • /etc/ca-certificate.conf is only updated once you ran dpkg-reconfigure ca-certificates which updates the certificate names to be imported into /etc/ca-certificates.conf.

    This is stated in the header of the /etc/ca-certificates.conf file:

    # This file lists certificates that you wish to use or to ignore to be
# installed in /etc/ssl/certs.
# update-ca-certificates(8) will update /etc/ssl/certs by reading this file.
#
# This is autogenerated by dpkg-reconfigure ca-certificates.  <=======
# Certificates should be installed under /usr/share/ca-certificates
# and files with extension '.crt' is recognized as available certs.
#
# line begins with # is comment.
# line begins with ! is certificate filename to be deselected.
#
mozilla/ACCVRAIZ1.crt
mozilla/AC_RAIZ_FNMT-RCM.crt
mozilla/Actalis_Authentication_Root_CA.crt
mozilla/AddTrust_External_Root.crt
...

    As you can see, the format in /etc/ca-certificates.conf is <folder name>/<.crt name>

    So in order to use update-ca-certificates or sudo update-ca-certificates you could do the following to import a .crt:

    1. Create a directory for extra CA certificates in /usr/share/ca-certificates:

      sudo mkdir /usr/share/ca-certificates/extra

    2. Copy the .crt file to this directory:

      sudo cp foo.crt /usr/share/ca-certificates/extra/foo.crt

    3. Append a line to /etc/ca-certificates.conf using <folder name>/<.crt name>: 

      echo "extra/foo.crt" >> /etc/ca-certificates.conf

    4. Update certs non-interactively with sudo update-ca-certificates

      $ sudo update-ca-certificates
...
Updating certificates in /etc/ssl/certs...
1 added, 0 removed; done.
    • 19

  4. Install a Certificate Authority on Ubuntu

    I have tested this on Ubuntu 14.04.

    Here is my solution, I looked and looked for a long time trying to figure out how to get this to work.

    1. Extract the .cer from browser. I used IE 11.
      • Settings -> Internet Options -> Intermediate Certificate Authorities
      • Select The Certificate Authority You Want To Export (certutil -config - -ping will show you the ones you are using if you are behind a corporate proxy)
      • Export -> Select The Format You Want To Use: DER Encoded .cer
    2. Get the .cer files to Ubuntu somehow
    3. Convert to .crt openssl x509 -inform DER -in certificate.cer -out certificate.crt
    4. Make extra directory sudo mkdir /usr/share/ca-certificates/extra
    5. Copy certificates over sudo cp certificate.crt /usr/share/ca-certificates/extra/certificate.crt
    6. sudo update-ca-certificates
    7. If not, then you have to do what I did, go to sudo nano /etc/ca-certificates.conf
    8. Scroll down and find your .cer and remove the ! from in front of the file name (update-ca-certificates doc) - if you don't find your certificate run dpkg-reconfigure ca-certificates
    9. Run sudo update-ca-certificates
    10. You may need to individually trust the CAs from Firefox, Chrome, etc.. , I needed it to work with Docker so after these steps it worked with Docker.
    • 14

  5. Other answers didn't work for me with Ubuntu 18.04. Append the certificate cert to /etc/ssl/certs/ca-certificates.crt using the following command:

    cat YOUR_CERT_HERE.crt >> /etc/ssl/certs/ca-certificates.crt
    • 4

  6. Have the (root / CA) certificate available on a web server, local to your network if you like.

    • Browse to it with Firefox.
    • Open the cert and tell Firefox to add it as an exception.
    • Firefox will ask you whether you want to trust this certificate for identifying websites, for e-mail users or for software publishers.
    • Enjoy!

    Update: It will be necessary to check if this works on Ubuntu 11. I've realised that I just did this on Ubuntu 12.04 LTS.

    • 3

  7. From here:

    Installing the Certificate

    You can install the key file example.key and certificate file example.crt, or the certificate file issued by your CA, by running following commands at a terminal prompt:

    sudo cp example.crt /etc/ssl/certs
sudo cp example.key /etc/ssl/private

    Now simply configure any applications, with the ability to use public-key cryptography, to use the certificate and key files. For example, Apache can provide HTTPS, Dovecot can provide IMAPS and POP3S, etc.

    • 1

  8. To add a Root CA certificate in FireFox is now-a-days very easy. Just open preferences, go to "Privacy & Security", scroll down to "Certificates" and click "View Certificates...". Here you can click "Import Certificate". Point to your root CA (.pem) and OK. That's all folks.

    • 1

  9. Here are the simple steps:

    1. Install CA certificates to allow SSL-based applications to check for the authenticity of SSL connections:

      sudo apt-get install ca-certificates

    2. Copy certificate file (crt or .cer) into /usr/local/share/ca-certificates/ folder, e.g.:

      sudo cp file.crt /usr/local/share/ca-certificates/

      For PEM file, see: Convert .pem to .crt and .key.

      Optionally, if using Charles proxy, this command can work:

      curl -L chls.pro/ssl | sudo tee /usr/local/share/ca-certificates/charles.crt

    3. Update certificates:

      sudo update-ca-certificates

      The command will update /etc/ssl/certs directory to hold SSL certificates and generates ca-certificates.crt file (a concatenated single-file list of certificates).

      Note: Don't add certificates manually (as suggested here), as they are not persistent and going to be removed.

    Note: If you're running as root, you can drop the sudo from the above commands.

    • 1