Celeb Glow
news | March 19, 2026

How do I install a root certificate?

Can anyone point me to a good tutorial on installing a root certificate on Ubuntu?

I've been provided with a .crt file. I gather that need to create a directory at /usr/share/ca-certificates/newdomain.org and place the .crt in that directory. Beyond that I'm not sure how to proceed.

4

9 Answers

Given a CA certificate file foo.crt, follow these steps to install it on Ubuntu:

  1. Create a directory for extra CA certificates in /usr/local/share/ca-certificates:

    sudo mkdir /usr/local/share/ca-certificates/extra

  2. Copy the CA .crt file to this directory:

    sudo cp foo.crt /usr/local/share/ca-certificates/extra/foo.crt

  3. Let Ubuntu add the .crt file's path relative to /usr/local/share/ca-certificates to /etc/ca-certificates.conf:

    sudo dpkg-reconfigure ca-certificates

    To do this non-interactively, run:

    sudo update-ca-certificates

In case of a .pem file on Ubuntu, it must first be converted to a .crt file:

openssl x509 -in foo.pem -inform PEM -out foo.crt

Or a .cer file can be converted to a .crt file:

openssl x509 -inform DER -in foo.cer -out foo.crt
18

Given a CA certificate file 'foo.crt', follow these steps to install it on Ubuntu:

First, copy your CA to dir /usr/local/share/ca-certificates/

sudo cp foo.crt /usr/local/share/ca-certificates/foo.crt

then, update CA store

sudo update-ca-certificates

That's all. You should get this output:

Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d....
Adding debian:foo.pem
done.
done.

No file is needed to edit. Link to your CA is created automatically.

Please note that the certificate filenames have to end in .crt, otherwise the update-ca-certificates script won't pick up on them.

This procedure works also in newer versions: manuals.

13

Clarification between update-ca-certificates and dpkg-reconfigure ca-certificates and why one works and the other does not!!

  • update-ca-certificates or sudo update-ca-certificates will only work if /etc/ca-certificates.conf has been updated.

  • /etc/ca-certificate.conf is only updated once you ran dpkg-reconfigure ca-certificates which updates the certificate names to be imported into /etc/ca-certificates.conf.

This is stated in the header of the /etc/ca-certificates.conf file:

# This file lists certificates that you wish to use or to ignore to be
# installed in /etc/ssl/certs.
# update-ca-certificates(8) will update /etc/ssl/certs by reading this file.
#
# This is autogenerated by dpkg-reconfigure ca-certificates. <=======
# Certificates should be installed under /usr/share/ca-certificates
# and files with extension '.crt' is recognized as available certs.
#
# line begins with # is comment.
# line begins with ! is certificate filename to be deselected.
#
mozilla/ACCVRAIZ1.crt
mozilla/AC_RAIZ_FNMT-RCM.crt
mozilla/Actalis_Authentication_Root_CA.crt
mozilla/AddTrust_External_Root.crt
...

As you can see, the format in /etc/ca-certificates.conf is <folder name>/<.crt name>

So in order to use update-ca-certificates or sudo update-ca-certificates you could do the following to import a .crt:

  1. Create a directory for extra CA certificates in /usr/share/ca-certificates:

    sudo mkdir /usr/share/ca-certificates/extra

  2. Copy the .crt file to this directory:

    sudo cp foo.crt /usr/share/ca-certificates/extra/foo.crt

  3. Append a line to /etc/ca-certificates.conf using <folder name>/<.crt name>: 

    echo "extra/foo.crt" >> /etc/ca-certificates.conf

  4. Update certs non-interactively with sudo update-ca-certificates

    $ sudo update-ca-certificates
...
Updating certificates in /etc/ssl/certs...
1 added, 0 removed; done.
3

Install a Certificate Authority on Ubuntu

I have tested this on Ubuntu 14.04.

Here is my solution, I looked and looked for a long time trying to figure out how to get this to work.

  1. Extract the .cer from browser. I used IE 11.
    • Settings -> Internet Options -> Intermediate Certificate Authorities
    • Select The Certificate Authority You Want To Export (certutil -config - -ping will show you the ones you are using if you are behind a corporate proxy)
    • Export -> Select The Format You Want To Use: DER Encoded .cer
  2. Get the .cer files to Ubuntu somehow
  3. Convert to .crt openssl x509 -inform DER -in certificate.cer -out certificate.crt
  4. Make extra directory sudo mkdir /usr/share/ca-certificates/extra
  5. Copy certificates over sudo cp certificate.crt /usr/share/ca-certificates/extra/certificate.crt
  6. sudo update-ca-certificates
  7. If not, then you have to do what I did, go to sudo nano /etc/ca-certificates.conf
  8. Scroll down and find your .cer and remove the ! from in front of the file name (update-ca-certificates doc) - if you don't find your certificate run dpkg-reconfigure ca-certificates
  9. Run sudo update-ca-certificates
  10. You may need to individually trust the CAs from Firefox, Chrome, etc.. , I needed it to work with Docker so after these steps it worked with Docker.
3

Other answers didn't work for me with Ubuntu 18.04. Append the certificate cert to /etc/ssl/certs/ca-certificates.crt using the following command:

cat YOUR_CERT_HERE.crt >> /etc/ssl/certs/ca-certificates.crt
4

Have the (root / CA) certificate available on a web server, local to your network if you like.

  • Browse to it with Firefox.
  • Open the cert and tell Firefox to add it as an exception.
  • Firefox will ask you whether you want to trust this certificate for identifying websites, for e-mail users or for software publishers.
  • Enjoy!

Update: It will be necessary to check if this works on Ubuntu 11. I've realised that I just did this on Ubuntu 12.04 LTS.

2

From here:

Installing the Certificate

You can install the key file example.key and certificate file example.crt, or the certificate file issued by your CA, by running following commands at a terminal prompt:

sudo cp example.crt /etc/ssl/certs
sudo cp example.key /etc/ssl/private

Now simply configure any applications, with the ability to use public-key cryptography, to use the certificate and key files. For example, Apache can provide HTTPS, Dovecot can provide IMAPS and POP3S, etc.

2

To add a Root CA certificate in FireFox is now-a-days very easy. Just open preferences, go to "Privacy & Security", scroll down to "Certificates" and click "View Certificates...". Here you can click "Import Certificate". Point to your root CA (.pem) and OK. That's all folks.

Here are the simple steps:

  1. Install CA certificates to allow SSL-based applications to check for the authenticity of SSL connections:

    sudo apt-get install ca-certificates

  2. Copy certificate file (crt or .cer) into /usr/local/share/ca-certificates/ folder, e.g.:

    sudo cp file.crt /usr/local/share/ca-certificates/

    For PEM file, see: Convert .pem to .crt and .key.

    Optionally, if using Charles proxy, this command can work:

    curl -L | sudo tee /usr/local/share/ca-certificates/charles.crt

  3. Update certificates:

    sudo update-ca-certificates

    The command will update /etc/ssl/certs directory to hold SSL certificates and generates ca-certificates.crt file (a concatenated single-file list of certificates).

    Note: Don't add certificates manually (as suggested here), as they are not persistent and going to be removed.

Note: If you're running as root, you can drop the sudo from the above commands.

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password

Post as a guest

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy

You Might Also Like

Why can't I find Kartana in Pokemon Sun?

Can you take off your custom skin's layers in Minecraft Pocket Edition?

Are the cards a one-time use?