386

Can anyone point me to a good tutorial on installing a root certificate on Ubuntu?

I've been provided with a .crt file. I gather that need to create a directory at /usr/share/ca-certificates/newdomain.org and place the .crt in that directory. Beyond that I'm not sure how to proceed.

Kevin Bowen
  • 20,055
  • 57
  • 82
  • 84
Sparky1
  • 13,199

9 Answers9

516

Given a CA certificate file foo.crt, follow these steps to install it on Ubuntu:

  1. Create a directory for extra CA certificates in /usr/local/share/ca-certificates:

    sudo mkdir /usr/local/share/ca-certificates/extra

  2. Copy the CA .crt file to this directory:

    sudo cp foo.crt /usr/local/share/ca-certificates/extra/foo.crt

    (For Ubuntu 20.04 or higher the path is /usr/share/ca-certificates/extra/foo.crt)

  3. Let Ubuntu add the .crt file's path relative to /usr/local/share/ca-certificates to /etc/ca-certificates.conf:

    sudo dpkg-reconfigure ca-certificates

    To do this non-interactively, run:

    sudo update-ca-certificates

In case of a .pem file on Ubuntu, it must first be converted to a .crt file:

openssl x509 -in foo.pem -inform PEM -out foo.crt

Or a .cer file can be converted to a .crt file:

openssl x509 -inform DER -in foo.cer -out foo.crt
gerrytan
  • 103
  • 4
Bai
  • 8,150
275

Given a CA certificate file 'foo.crt', follow these steps to install it on Ubuntu:

First, copy your CA to dir /usr/local/share/ca-certificates/

sudo cp foo.crt /usr/local/share/ca-certificates/foo.crt

then, update CA store

sudo update-ca-certificates

That's all. You should get this output:

Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d....
Adding debian:foo.pem
done.
done.

No file is needed to edit. Link to your CA is created automatically.

Please note that the certificate filenames have to end in .crt, otherwise the update-ca-certificates script won't pick up on them.

This procedure works also in newer versions: manuals.

Franc Drobnič
  • 169
Frantisek Boranek
  • 2,751
29

Clarification between update-ca-certificates and dpkg-reconfigure ca-certificates and why one works and the other does not!!

  • update-ca-certificates or sudo update-ca-certificates will only work if /etc/ca-certificates.conf has been updated.

  • /etc/ca-certificate.conf is only updated once you ran dpkg-reconfigure ca-certificates which updates the certificate names to be imported into /etc/ca-certificates.conf.

This is stated in the header of the /etc/ca-certificates.conf file:

# This file lists certificates that you wish to use or to ignore to be
# installed in /etc/ssl/certs.
# update-ca-certificates(8) will update /etc/ssl/certs by reading this file.
#
# This is autogenerated by dpkg-reconfigure ca-certificates.  <=======
# Certificates should be installed under /usr/share/ca-certificates
# and files with extension '.crt' is recognized as available certs.
#
# line begins with # is comment.
# line begins with ! is certificate filename to be deselected.
#
mozilla/ACCVRAIZ1.crt
mozilla/AC_RAIZ_FNMT-RCM.crt
mozilla/Actalis_Authentication_Root_CA.crt
mozilla/AddTrust_External_Root.crt
...

As you can see, the format in /etc/ca-certificates.conf is <folder name>/<.crt name>

So in order to use update-ca-certificates or sudo update-ca-certificates you could do the following to import a .crt:

  1. Create a directory for extra CA certificates in /usr/share/ca-certificates:

    sudo mkdir /usr/share/ca-certificates/extra

  2. Copy the .crt file to this directory:

    sudo cp foo.crt /usr/share/ca-certificates/extra/foo.crt

  3. Append a line to /etc/ca-certificates.conf using <folder name>/<.crt name>:

    echo "extra/foo.crt" | sudo tee -a /etc/ca-certificates.conf

  4. Update certs non-interactively with sudo update-ca-certificates:

    $ sudo update-ca-certificates
...
Updating certificates in /etc/ssl/certs...
1 added, 0 removed; done.
BeastOfCaerbannog
  • 16,703
mahatmanich
  • 699
14

Install a Certificate Authority on Ubuntu

I have tested this on Ubuntu 14.04.

Here is my solution, I looked and looked for a long time trying to figure out how to get this to work.

  1. Extract the .cer from browser. I used IE 11.
    • Settings -> Internet Options -> Intermediate Certificate Authorities
    • Select The Certificate Authority You Want To Export (certutil -config - -ping will show you the ones you are using if you are behind a corporate proxy)
    • Export -> Select The Format You Want To Use: DER Encoded .cer
  2. Get the .cer files to Ubuntu somehow
  3. Convert to .crt openssl x509 -inform DER -in certificate.cer -out certificate.crt
  4. Make extra directory sudo mkdir /usr/share/ca-certificates/extra
  5. Copy certificates over sudo cp certificate.crt /usr/share/ca-certificates/extra/certificate.crt
  6. sudo update-ca-certificates
  7. If not, then you have to do what I did, go to sudo nano /etc/ca-certificates.conf
  8. Scroll down and find your .cer and remove the ! from in front of the file name (update-ca-certificates doc) - if you don't find your certificate run dpkg-reconfigure ca-certificates
  9. Run sudo update-ca-certificates
  10. You may need to individually trust the CAs from Firefox, Chrome, etc.. , I needed it to work with Docker so after these steps it worked with Docker.
scandar
  • 3
Alex
  • 241
4

Other answers didn't work for me with Ubuntu 18.04. Append the certificate cert to /etc/ssl/certs/ca-certificates.crt using the following command:

cat YOUR_CERT_HERE.crt >> /etc/ssl/certs/ca-certificates.crt
mahatmanich
  • 699
Jasmit Tarang
  • 49
3

Have the (root / CA) certificate available on a web server, local to your network if you like.

  • Browse to it with Firefox.
  • Open the cert and tell Firefox to add it as an exception.
  • Firefox will ask you whether you want to trust this certificate for identifying websites, for e-mail users or for software publishers.
  • Enjoy!

Update: It will be necessary to check if this works on Ubuntu 11. I've realised that I just did this on Ubuntu 12.04 LTS.

Eliah Kagan
  • 119,640
Ian Green
  • 31
  • 1
2

Here are the simple steps:

  1. Install CA certificates to allow SSL-based applications to check for the authenticity of SSL connections:

    sudo apt-get install ca-certificates

  2. Copy certificate file (crt or .cer) into /usr/local/share/ca-certificates/ folder, e.g.:

    sudo cp file.crt /usr/local/share/ca-certificates/

    For PEM file, see: Convert .pem to .crt and .key.

    Optionally, if using Charles proxy, this command can work:

    curl -L chls.pro/ssl | sudo tee /usr/local/share/ca-certificates/charles.crt

  3. Update certificates:

    sudo update-ca-certificates

    The command will update /etc/ssl/certs directory to hold SSL certificates and generates ca-certificates.crt file (a concatenated single-file list of certificates).

    Note: Don't add certificates manually (as suggested here), as they are not persistent and going to be removed.

Note: If you're running as root, you can drop the sudo from the above commands.

kenorb
  • 10,944
1

To add a Root CA certificate in FireFox is now-a-days very easy. Just open preferences, go to "Privacy & Security", scroll down to "Certificates" and click "View Certificates...". Here you can click "Import Certificate". Point to your root CA (.pem) and OK. That's all folks.

pizzamonster
  • 111
  • 1
1

From here:

Installing the Certificate

You can install the key file example.key and certificate file example.crt, or the certificate file issued by your CA, by running following commands at a terminal prompt:

sudo cp example.crt /etc/ssl/certs
sudo cp example.key /etc/ssl/private

Now simply configure any applications, with the ability to use public-key cryptography, to use the certificate and key files. For example, Apache can provide HTTPS, Dovecot can provide IMAPS and POP3S, etc.

jat255
  • 728