Install a root CA certificate in the trust store
Note:
This documentation has moved to a new home! Please update your bookmarks to the new URL for the up-to-date version of this page.
Enterprise environments sometimes have a local Certificate Authority (CA) that issues certificates for use within the organisation. For an Ubuntu server to be functional, and to trust the hosts in this environment, this CA must be installed in Ubuntu’s trust store.
Certificate formats
There are two encoding formats for certificates:
- Privacy Enhanced Mail (PEM): These are human-readable and in Base64-encoded ASCII format.
- Distinguished Encoding Rules (DER): These are encoded in a more compact binary format, and not human readable.
To install a certificate in the trust store it must be in PEM format. A PEM certificate starts with the line ----BEGIN CERTIFICATE----
. If you see this, you’re ready to install. If not, it is probably a DER certificate and needs to be converted before you can install it in the trust store.
Install a PEM-format certificate
Assuming your PEM-formatted root CA certificate is in local-ca.crt
, run the following commands to install it:
sudo apt-get install -y ca-certificates
sudo cp local-ca.crt /usr/local/share/ca-certificates
sudo update-ca-certificates
Note:
It is important that the certificate file has the.crt
extension, otherwise it will not be processed.
After this point you can use tools like curl
and wget
to connect to local sites.
Convert from DER to PEM format
You can convert a DER-formatted certificate called local-ca.der
to PEM form like this:
sudo openssl x509 -inform der -outform pem -in local-ca.der -out local-ca.crt`
The CA trust store location
The CA trust store (as generated by update-ca-certificates
) is available at the following locations:
- As a single file (PEM bundle) in
/etc/ssl/certs/ca-certificates.crt
- As an OpenSSL-compatible certificate directory in
/etc/ssl/certs