Installing a root CA certificate in the trust store

Installing a root CA certificate in the trust store

Often in an enterprise environments there is a local Certificate Authority (CA) that issues certificates local to the organization. For an Ubuntu server to be functional and trust the hosts in this environment this CA must be installed in Ubuntu’s trust store.

Installing a certificate in PEM form

To install a certificate in the trust store it must be in PEM form. Assuming the root CA certificate is in PEM form at a file called local-ca.crt, follow the steps below to convert to DER form an install.

$ sudo apt-get install -y ca-certificates
$ sudo cp local-ca.crt /usr/local/share/ca-certificates
$ sudo update-ca-certificates

Note: It is important to have the .crt extension on the file, otherwise it will not be processed.

After this point you can use Ubuntu’s tools like curl and wget to connect to local sites.

Installing a certificate in DER form

Assuming the DER-formatted root CA certificate is in local-ca.der follow the steps below to install it.

$ sudo apt-get install -y ca-certificates
$ sudo openssl x509 -inform der -outform pem -in local-ca.der -out local-ca.crt
$ sudo cp local-ca.crt /usr/local/share/ca-certificates
$ sudo update-ca-certificates

After this point you can use Ubuntu’s tools like curl and wget to connect to local sites.

How to recognize the form?

A PEM-formatted certificate is human-readable in base64 format, and starts with the lines ----BEGIN CERTIFICATE----. If you see these lines then use the instructions for the PEM form otherwise it is most likely a DER certificate.