363

Can anyone point me to a good tutorial on installing a root certificate on Ubuntu?

I've been provided with a .crt file. I gather that need to create a directory at /usr/share/ca-certificates/newdomain.org and place the .crt in that directory. Beyond that I'm not sure how to proceed.

Kevin Bowen
  • 19,395
  • 55
  • 76
  • 81
Sparky1
  • 12,109
  • 8
  • 20
  • 14
  • 28
    If anybody is landing here with a cer file instead of a crt, [they're the same thing](http://stackoverflow.com/questions/642284/apache-with-ssl-how-to-convert-cer-to-crt-certificates) (just with a different extension). You should be able to follow these answers and just substitute the filename. – Oli Jan 23 '14 at 10:19
  • Btw: for a convenient way to [get CA certificates from command line, look here](https://serverfault.com/a/129505/88431), on serverfault. – Frank N Aug 09 '18 at 08:48
  • 1
    Is there not a UX problem if there are 9 different answers? Does Ubuntu have a UserVoice? – Luke Puplett Feb 18 '20 at 13:06
  • 1
    Official docs can be found here https://ubuntu.com/server/docs/security-trust-store – Stefan Horning Mar 01 '22 at 12:53

9 Answers9

489

Given a CA certificate file foo.crt, follow these steps to install it on Ubuntu:

  1. Create a directory for extra CA certificates in /usr/local/share/ca-certificates:

    sudo mkdir /usr/local/share/ca-certificates/extra

  2. Copy the CA .crt file to this directory:

    sudo cp foo.crt /usr/local/share/ca-certificates/extra/foo.crt

  3. Let Ubuntu add the .crt file's path relative to /usr/local/share/ca-certificates to /etc/ca-certificates.conf:

    sudo dpkg-reconfigure ca-certificates

    To do this non-interactively, run:

    sudo update-ca-certificates

In case of a .pem file on Ubuntu, it must first be converted to a .crt file:

openssl x509 -in foo.pem -inform PEM -out foo.crt

Or a .cer file can be converted to a .crt file:

openssl x509 -inform DER -in foo.cer -out foo.crt
BeastOfCaerbannog
  • 12,964
  • 10
  • 49
  • 77
Bai
  • 7,600
  • 2
  • 15
  • 6
  • 80
    How about using `/usr/local/share/ca-certificates` (local!) instead of using a system package management managed directoy? – gertvdijk Mar 31 '14 at 13:03
  • 14
    Note that Firefox (and maybe some other software) don't use the system-wide certificates, but has its own certificate store: http://askubuntu.com/a/248326/79344. – Amir Ali Akbari Jun 06 '15 at 17:51
  • 27
    Note that the file *must* be in PEM format and have ".crt" extension. – Anton Jun 05 '16 at 07:07
  • 1
    This method is not functional on Ubuntu 16.04, you might wish to revise your answer. – Luís de Sousa Aug 16 '16 at 07:35
  • 1
    Does this work for removal too? I.e. is it enough to remove the files and do dpkg-reconfigure again to delete the extra CA? – clorz Feb 01 '17 at 20:16
  • After losing my mind on this for way too long, I think I got it worked out with Ubuntu 16.04. One thing that was killing me is that my organization handed out a OUR_ORGANIZATION_ROOT_CA.crt file with instructions for adding it to Firefox. No prob. Then I figured out Chrome. No prob. Then curl and all who depend on it started croaking with fatal errors about certificates. Turns out this file extension was .crt but it was NOT in PEM format. @steakunderscore's comment above SAVED MY SANITY. The `-inform DER`option made the difference; `-inform PEM` didn't work. – David Feb 27 '17 at 17:36
  • 2
    `sudo dpkg-reconfigure ca-certificates` Thanks, the other `sudo update-ca-certificates --fresh` didn't work on 16.10. – antivirtel Mar 02 '17 at 11:29
  • since dpkg-reconfigure ca-certificates is interactive it cant be automated with ansible. better use sudo update-ca-certificates in that case – Michael Niemand Mar 06 '17 at 15:21
  • Note that for Chromium you don't use site wide certificates. Neither of the instructions below would produce intended result in the web browser. – Sergei G May 24 '17 at 04:16
  • 27
    The command `openssl x509 -in foo.pem -inform PEM -out foo.crt` copies a PEM file to a PEM file. This can be done easier by renaming. – Marian Jul 26 '17 at 17:22
  • 2
    Note that Chromium and Firefox do not use the system ca certificates, so require separate instructions. For chromium, visit chrome://settings/certificates, click Authorities, then click import, and select your .crt. In Firefox, visit about:preferences#advanced, click Certificates, View Certificates, Authorities, then click Import and select your .crt. – jbeard4 Sep 27 '17 at 19:15
  • 7
    PEM and crt are two unrelated things. PEM is an encoding (contrast with .DER) while crt is just a naming convention to indicate the contents (contrast with .key) – Gerald Sep 06 '18 at 10:09
  • 3
    @Marian I think that conversion command works even when input PEM is actually certificate chain instead of a single X.509 certificate (you cannot be sure what's inside `*.pem` until reading the content). In that case it is not simple file-copying. – Franklin Yu Sep 11 '18 at 20:56
  • For those who still fail after this approach: My company delivered both .pem files and .crt files. However, I had to generate my own .crt files from .pem files using the above-mentioned tool in order for them to work correctly. – mattgately Nov 13 '19 at 17:00
  • For my case with Ubuntu 16.04, No output: locate foo.crt and the output : sudo cp foo.crt /usr/share/ca-certificates/extra/foo.crt is: cp: cannot stat 'foo.crt': No such file or directory. Sadly, I first removed ca-certificates. How I can fix it, please? – REDHWAN Jun 07 '20 at 03:30
  • For Ubuntu 20.04 I tried installing it in the local ca-certificates folder `/usr/local/share/ca-certificates` as suggested by @gertvdijk, but the certificate wasn't found by the update process. – magikid Feb 02 '21 at 21:26
  • 3
    Confirm that for 20.04, these instructions work if the file is put into `/usr/share/ca-certificates/extra` – Raphael Jul 08 '21 at 09:51
  • Confirm that for 20.04, these instructions work if the file is put into `/usr/local/share/ca-certificates/extra` – stackprotector Mar 03 '22 at 10:46
  • Does `update-ca-certificates` automatically symlink the newly added files into `/etc/ssl/certs`? – Gergely Lukacsy Aug 03 '23 at 16:15
264

Given a CA certificate file 'foo.crt', follow these steps to install it on Ubuntu:

First, copy your CA to dir /usr/local/share/ca-certificates/

sudo cp foo.crt /usr/local/share/ca-certificates/foo.crt

then, update CA store

sudo update-ca-certificates

That's all. You should get this output:

Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d....
Adding debian:foo.pem
done.
done.

No file is needed to edit. Link to your CA is created automatically.

Please note that the certificate filenames have to end in .crt, otherwise the update-ca-certificates script won't pick up on them.

This procedure works also in newer versions: manuals.

Franc Drobnič
  • 149
  • 7
Frantisek Boranek
  • 2,641
  • 1
  • 11
  • 2
  • 1
    this seems not to work in trusty tahr 14.04 – mcantsin Mar 28 '14 at 19:21
  • 33
    Please note that, unlike adding to /usr/share/ca-certificates, this seems to only work if they're directly in /usr/local/share/ca-certificates and not a subdirectory. +1 for using local folder instead of system folder! – Tobias J Apr 08 '14 at 05:11
  • Use this command to convert _*.pem_ to _*.crt_: `openssl x509 -outform der -in in_file.pem -out out_file.crt` – Nelson G. Jun 01 '16 at 10:20
  • 2
    This is documented in [README.Debian](https://anonscm.debian.org/cgit/collab-maint/ca-certificates.git/tree/debian/README.Debian). – pevik Aug 24 '16 at 09:32
  • 1
    I had to do `openssl x509 -outform pem -in in_file.pem -out out_file.crt`. Got complaints about "multiple certificates" in the CRT file if I did `-outform der`. – Dave Hein Dec 29 '16 at 20:50
  • 1
    @Sparky1, This should be the accepted answer. – Drew Chapin Feb 17 '17 at 12:46
  • works on Debian 8.8 (Jessie) with ownCloud application – Sergei G May 26 '17 at 06:12
  • Step 0: for a convenient way to [get CA certificates from command line, look here](https://serverfault.com/a/129505/88431), on serverfault. – Frank N Aug 09 '18 at 08:47
  • @pevik Link dead. [This](https://sources.debian.org/src/ca-certificates/20161130+nmu1+deb9u1/debian/README.Debian/) is a versioned one that won't expire. – Franklin Yu Sep 11 '18 at 20:46
  • 1
    @FranklinYu thanks :) Debian moved from Alioth to Salsa, this would work as well: https://salsa.debian.org/debian/ca-certificates/raw/master/debian/README.Debian, but sources.debian.org is better. – pevik Sep 12 '18 at 12:47
  • 2
    Thanks! It works in 18.04 as well, the first answer with copying the `crt` file `/usr/share/ca-certificates/extra` doesn't seem to work however. – QPTR Jan 17 '19 at 16:25
  • I didn't know it had to be a `.crt` file, so this answer was super helpful. Thanks! – Sienna Oct 13 '19 at 15:43
  • For those who still fail after this approach: My company delivered both .pem files and .crt files. However, I had to generate my own .crt files from .pem files using the above-mentioned tool in order for them to work correctly. I think it was because multiple certificates in single CRT – mattgately Nov 13 '19 at 17:02
24

Clarification between update-ca-certificates and dpkg-reconfigure ca-certificates and why one works and the other does not!!

  • update-ca-certificates or sudo update-ca-certificates will only work if /etc/ca-certificates.conf has been updated.

  • /etc/ca-certificate.conf is only updated once you ran dpkg-reconfigure ca-certificates which updates the certificate names to be imported into /etc/ca-certificates.conf.

This is stated in the header of the /etc/ca-certificates.conf file:

# This file lists certificates that you wish to use or to ignore to be
# installed in /etc/ssl/certs.
# update-ca-certificates(8) will update /etc/ssl/certs by reading this file.
#
# This is autogenerated by dpkg-reconfigure ca-certificates.  <=======
# Certificates should be installed under /usr/share/ca-certificates
# and files with extension '.crt' is recognized as available certs.
#
# line begins with # is comment.
# line begins with ! is certificate filename to be deselected.
#
mozilla/ACCVRAIZ1.crt
mozilla/AC_RAIZ_FNMT-RCM.crt
mozilla/Actalis_Authentication_Root_CA.crt
mozilla/AddTrust_External_Root.crt
...

As you can see, the format in /etc/ca-certificates.conf is <folder name>/<.crt name>

So in order to use update-ca-certificates or sudo update-ca-certificates you could do the following to import a .crt:

  1. Create a directory for extra CA certificates in /usr/share/ca-certificates:

     sudo mkdir /usr/share/ca-certificates/extra

  2. Copy the .crt file to this directory:

     sudo cp foo.crt /usr/share/ca-certificates/extra/foo.crt

  3. Append a line to /etc/ca-certificates.conf using <folder name>/<.crt name>:

     echo "extra/foo.crt" | sudo tee -a /etc/ca-certificates.conf

  4. Update certs non-interactively with sudo update-ca-certificates

     $ sudo update-ca-certificates
 ...
 Updating certificates in /etc/ssl/certs...
 1 added, 0 removed; done.
éclairevoyant
  • 115
  • 4
mahatmanich
  • 649
  • 6
  • 13
  • For my case with Ubuntu 16.04, No output: locate foo.crt and the output : sudo cp foo.crt /usr/share/ca-certificates/extra/foo.crt is: cp: cannot stat 'foo.crt': No such file or directory. Sadly, I first removed ca-certificates. How I can fix it, please? – REDHWAN Jun 07 '20 at 03:28
  • On Ubuntu 20.04 LTS, there is no need to use the interactive `dpkg-reconfigure ca-certificates`. `update-ca-certificates` adds a certificate from a newly created folder like `/usr/local/share/ca-certificates/extra` successfully. – stackprotector Mar 03 '22 at 10:51
  • Docs: https://ubuntu.com/server/docs/security-trust-store – stackprotector Mar 03 '22 at 10:55
14

Install a Certificate Authority on Ubuntu

I have tested this on Ubuntu 14.04.

Here is my solution, I looked and looked for a long time trying to figure out how to get this to work.

  1. Extract the .cer from browser. I used IE 11.
    • Settings -> Internet Options -> Intermediate Certificate Authorities
    • Select The Certificate Authority You Want To Export (certutil -config - -ping will show you the ones you are using if you are behind a corporate proxy)
    • Export -> Select The Format You Want To Use: DER Encoded .cer
  2. Get the .cer files to Ubuntu somehow
  3. Convert to .crt openssl x509 -inform DER -in certificate.cer -out certificate.crt
  4. Make extra directory sudo mkdir /usr/share/ca-certificates/extra
  5. Copy certificates over sudo cp certificate.crt /usr/share/ca-certificates/extra/certificate.crt
  6. sudo update-ca-certificates
  7. If not, then you have to do what I did, go to sudo nano /etc/ca-certificates.conf
  8. Scroll down and find your .cer and remove the ! from in front of the file name (update-ca-certificates doc) - if you don't find your certificate run dpkg-reconfigure ca-certificates
  9. Run sudo update-ca-certificates
  10. You may need to individually trust the CAs from Firefox, Chrome, etc.. , I needed it to work with Docker so after these steps it worked with Docker.
scandar
  • 3
  • 1
  • 3
Alex
  • 241
  • 2
  • 3
4

Other answers didn't work for me with Ubuntu 18.04. Append the certificate cert to /etc/ssl/certs/ca-certificates.crt using the following command:

cat YOUR_CERT_HERE.crt >> /etc/ssl/certs/ca-certificates.crt
mahatmanich
  • 649
  • 6
  • 13
Jasmit Tarang
  • 49
  • 1
  • 1
  • 1
    2 hours of messing about with import commands before I found this. Perfect! – beirtipol Feb 14 '19 at 16:07
  • The command is wrong, the final `s` is missing: `cat YOUR_CERT_HERE.crt >> /etc/ssl/certs/ca-certificates.crt `. Thanks for this solution. – SommerEngineering Apr 15 '19 at 14:31
  • 4
    Note: This is the temporary solution, as the added certificate is going to be removed after running `update-ca-certificates`. – kenorb May 17 '19 at 10:49
  • what is removed? I haven't seen my certificate removed. – Someone Special Mar 17 '21 at 09:24
  • 1
    I get permission denied on this, even with sudo at the beginning: sudo cat DigiCertGlobalRootCA.crt >> /etc/ssl/certs/ca-certificates.crt bash: /etc/ssl/certs/ca-certificates.crt: Permission denied – Alex Mi Feb 01 '23 at 19:33
3

Have the (root / CA) certificate available on a web server, local to your network if you like.

  • Browse to it with Firefox.
  • Open the cert and tell Firefox to add it as an exception.
  • Firefox will ask you whether you want to trust this certificate for identifying websites, for e-mail users or for software publishers.
  • Enjoy!

Update: It will be necessary to check if this works on Ubuntu 11. I've realised that I just did this on Ubuntu 12.04 LTS.

Eliah Kagan
  • 116,445
  • 54
  • 318
  • 493
Ian Green
  • 31
  • 1
  • 6
    hasn't firefox its own certificate container? If one would add a certificate this way, just firefox would be able to use it, wouldn't it? – Aiyion.Prime Mar 23 '15 at 16:47
  • That does not work at all, you still have to add it to the global cert container of the OS, otherwise it only will be in the Firefox container. – arc_lupus Apr 04 '16 at 07:25
1

To add a Root CA certificate in FireFox is now-a-days very easy. Just open preferences, go to "Privacy & Security", scroll down to "Certificates" and click "View Certificates...". Here you can click "Import Certificate". Point to your root CA (.pem) and OK. That's all folks.

pizzamonster
  • 111
  • 1
1

Here are the simple steps:

  1. Install CA certificates to allow SSL-based applications to check for the authenticity of SSL connections:

    sudo apt-get install ca-certificates

  2. Copy certificate file (crt or .cer) into /usr/local/share/ca-certificates/ folder, e.g.:

    sudo cp file.crt /usr/local/share/ca-certificates/

    For PEM file, see: Convert .pem to .crt and .key.

    Optionally, if using Charles proxy, this command can work:

    curl -L chls.pro/ssl | sudo tee /usr/local/share/ca-certificates/charles.crt

  3. Update certificates:

    sudo update-ca-certificates

    The command will update /etc/ssl/certs directory to hold SSL certificates and generates ca-certificates.crt file (a concatenated single-file list of certificates).

    Note: Don't add certificates manually (as suggested here), as they are not persistent and going to be removed.

Note: If you're running as root, you can drop the sudo from the above commands.

kenorb
  • 9,995
  • 2
  • 78
  • 90
1

From here:

Installing the Certificate

You can install the key file example.key and certificate file example.crt, or the certificate file issued by your CA, by running following commands at a terminal prompt:

sudo cp example.crt /etc/ssl/certs
sudo cp example.key /etc/ssl/private

Now simply configure any applications, with the ability to use public-key cryptography, to use the certificate and key files. For example, Apache can provide HTTPS, Dovecot can provide IMAPS and POP3S, etc.

jat255
  • 708
  • 6
  • 17
  • Should have read more closely... It looks like that's not for root certificates. That page that I linked to though has information about root certificates that might be useful. – jat255 Oct 28 '11 at 18:06
  • 1
    I don't have a public key and a private key, I just have a .crt so unfortunately those instruction don't seem to apply. – Sparky1 Oct 28 '11 at 19:01