Install a root CA certificate in the trust store

Enterprise environments sometimes have a local Certificate Authority (CA) that issues certificates for use within the organisation. For an Ubuntu server to be functional, and to trust the hosts in this environment, this CA must be installed in Ubuntu’s trust store.

Certificate formats

There are two encoding formats for certificates:

  • Privacy Enhanced Mail (PEM): These are human-readable and in Base64-encoded ASCII format.
  • Distinguished Encoding Rules (DER): These are encoded in a more compact binary format, and not human readable.

To install a certificate in the trust store it must be in PEM format. A PEM certificate starts with the line ----BEGIN CERTIFICATE----. If you see this, you’re ready to install. If not, it is probably a DER certificate and needs to be converted before you can install it in the trust store.

Install a PEM-format certificate

Assuming your PEM-formatted root CA certificate is in local-ca.crt, run the following commands to install it:

sudo apt-get install -y ca-certificates
sudo cp local-ca.crt /usr/local/share/ca-certificates
sudo update-ca-certificates

It is important that the certificate file has the .crt extension, otherwise it will not be processed.

After this point you can use tools like curl and wget to connect to local sites.

Convert from DER to PEM format

You can convert a DER-formatted certificate called local-ca.der to PEM form like this:

sudo openssl x509 -inform der -outform pem -in local-ca.der -out local-ca.crt`

The CA trust store location

The CA trust store (as generated by update-ca-certificates) is available at the following locations:

  • As a single file (PEM bundle) in /etc/ssl/certs/ca-certificates.crt
  • As an OpenSSL-compatible certificate directory in /etc/ssl/certs
1 Like

Instructions on how to remove a CA certificate from the trust store would be helpful.

1 Like