Adding Trusted Root Certificates on Linux |

This article will explain how to add (install) a new certificate to the Trusted Root Certificates list on Linux.

Assuming you’re using a self-signed SSL/TLS certificate, but don’t want to get SEC_ERROR_UNKNOWN_ISSUER Error in client browser whenever your site is opened.

To check if your Linux host cannot verify (and therefore does not trust) the SSL certificate on a certain site, run the following command:

$ curl –I

curl: (60) SSL certificate problem: unable to get local issuer certificate. More details here: 
curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above.

Validate website certificate using cURL

In this case, we need to add the root CA of this website to the list of trusted certificates on Linux.

How to install root certificate in trust store on Linux?

If you want to update your trusted certificate store on Linux, the first thing you need is the certificate pem file with a *.CRT Expansion. A PEM certificate in base 64 format starting with the line —-BEGIN CERTIFICATE—– and ends with ——END CERTIFICATE——,

PEM (X. 509 Certificate) file with .CRT extension

If you have your certificate file stored in DER format, you can convert it to PEM using the openssl command:

$ openssl x509 -in my_trusted_sub_ca.der -inform der -out my_trusted_sub_ca.cer

Now let’s see how you can add your CA root certificate to the trust list in DEB-based Linux distros (Ubuntu, Debian, Mint, Kali Linux, etc.).

First, copy your certificate files to the certificate store folder (/usr/local/share/ca-certificates/,

$ sudo cp my_trusted_sub_ca.crt /usr/local/share/ca-certificates/
$ sudo cp my_trusted_root_ca.crt /usr/local/share/ca-certificates/

Update the certificate store using the command:

$ sudo update-ca-certificates -v

If the command is not found, you need to install the package on your Ubuntu/Debian host:

$ sudo apt-get install -y ca-certificates

Update-CA-Certificate - Updates the directory /etc/ssl/certs to contain the SSL certificate and generates ca-certificates.crt

If the certificates have been added successfully, you will see a message saying that the certificate has been copied to /etc/ssl/certs/ :

Updating certificates in /etc/ssl/certs…
2 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d
Here’s another way to add new certificates to the trusted store on Linux:

$ sudo dpkg-reconfigure ca-certificates

View the list of certificates and select the certificates you want to add to trusted.

dpkg-reconfigure ca-certificates

On Linux, the list of trusted certificates is stored in the /etc/ssl/certs/ca-certificates.crt file. Both the above commands will update this file and add information about new certificates.

Use the following command to make sure that your certificates have been added to the trust list:

$ awk -v cmd='openssl x509 -noout -subject' ' /BEGIN/{close(cmd)};{print | cmd}' < /etc/ssl/certs/ca-certificates.crt | grep -i YourCASubj

Specify the common name portion of your certificate instead of YourCASubj to search the store by subject.

list trusted certificates linux

You can check if your OS trusts the certificate by using the command:

$ openssl verify my_trusted_sub_ca.crt

openssl verified certificate chain

If your Linux host doesn’t trust the certificate, you’ll get an error:

error 20 at 0 depth lookup: unable to get local issuer certificate
error my_trusted_sub_ca.crt: verification failed

You can use curl to make sure the site uses a trusted SSL certificate:

$ curl –I

Everything is fine, the certificate is trusted { HTTPOnly: secure ,

check trusted ssl connection with curl on linux

Note that the certificate file can also be added to the trust list manually:

$ sudo mkdir /usr/share/ca-certificates/extra
$ sudo cp my.crt /usr/share/ca-certificates/extra/mycert1.crt
$ sudo vim /etc/ca-certificates.conf


$ sudo update-ca-certificates

To remove a certificate from the trusted list, just delete your .crt file:

$ sudo rm /usr/local/share/ca-certificates/yourcert.crt

and update the CA store:

$ sudo update-ca-certificates --fresh

To add a certificate to the trust list on RPM-based Linux distros (CentOS, Oracle, RHEL, Rocky Linux, Fedora), use the following procedure:

  1. Install the ca-certificates package: # yum install ca-certificates
  2. Copy the certificate file to /etc/pki/ca-trust/sources/anchor/ : # cp mycert.crt /etc/pki/ca-trust/source/anchors/
  3. Update certificate trusted store:
    # update-ca-trust force-enable
    # update-ca-trust extract

Adding a Trusted CA Certificate to Chrome and Firefox

After completing the above steps, all system tools will trust the websites that use this CA. However, this will not affect the Mozilla Firefox or Google Chrome web browsers, as they will still show a warning message about the untrusted certificate.

The thing is that Firefox, Chromium, Google Chrome, Vivaldi, and even the Mozilla Thunderbird e-mail client do not use the Linux system certificate store. The certificate store for these programs can be found in the user’s directory. cert8.db (for Mozilla) or cert9.db file (for Chromium and Chrome). To update these certificate stores, you can use the certutil tool from the libnss3-tools package.

First, install the package:

$ sudo apt install libnss3-tools

install libnss3-tools on linux

Now run the following bash script to add your certificates to the store via NSS:

certname="My Root CA1"
for certDB in $(find ~/ -name "cert8.db")
certdir=$(dirname ${certDB});
certutil -A -n "${certname}" -t "TCu,Cu,Tu" -i ${certfile} -d dbm:${certdir}
for certDB in $(find ~/ -name "cert9.db")
certdir=$(dirname ${certDB});
certutil -A -n "${certname}" -t "TCu,Cu,Tu" -i ${certfile} -d sql:${certdir}

Once this is done, websites with the given CA will be trusted by all browsers.

Leave a Comment