178

I've generated a self-signed certificate for my build server and I'd like to globally trust the certificate on my machine, as I created the key myself and I'm sick of seeing warnings.

I'm on Ubuntu 12.04. How can I take the certificate and globally trust it so that browsers (Google Chrome), CLI utilities (wget, curl), and programming languages (Python, Java, etc.) trust the connection to https://example.com without asking questions?

1
  • All the TLS should be vectored through OpenSSL, so that's the place to look for documentation. In this case: gagravarr.org/writing/openssl-certs/… looks useful. Commented Sep 13, 2013 at 2:06

6 Answers 6

151

The simple answer to this is that pretty much each application will handle it differently.

Also OpenSSL and GNUTLS (the most widely used certificate processing libraries used to handle signed certificates) behave differently in their treatment of certs which also complicates the issue. Also operating systems utilize different mechanisms to utilize "root CA" used by most websites.

That aside, giving Debian as an example. Install the ca-certificates package:

apt-get install ca-certificates

You then copy the public half of your untrusted CA certificate (the one you use to sign your CSR) into the CA certificate directory (as root):

cp cacert.crt /usr/share/ca-certificates

NOTE: Certificate needs to have .crt extension for it to be picked up.

And get it to rebuild the directory with your certificate included, run as root:

dpkg-reconfigure ca-certificates

and select the ask option, scroll to your certificate, mark it for inclusion and select ok.

Most browsers use their own CA database, and so tools like certutil have to be used to modify their contents (on Debian that is provided by the libnss3-tools package). For example, with Chrome you run something along the lines of:

certutil -d sql:$HOME/.pki/nssdb -A -t "C,," -n "My Homemade CA" -i /path/to/CA/cert.file

Firefox will allow you to browse to the certificate on disk, recognize it a certificate file and then allow you to import it to Root CA list.

Most other commands such as curl take command line switches you can use to point at your CA,

 curl --cacert  /path/to/CA/cert.file https://...

or drop the SSL validation altogether

 curl --insecure https://...

The rest will need individual investigation if the ca-certificates like trick does not sort it for that particular application.

9
  • 1
    Also, as noted here, adding CA certificates for Java is likewise a separate matter. Commented Mar 28, 2014 at 0:40
  • 2
    After copying the certificate to /usr/share/ca-certificates, I can't see it in the dpkg-reconfigure ca-certificates list. What am I doing wrong? Commented Feb 17, 2015 at 19:21
  • 29
    @GeorgesDupéron That happened to me to. I resolved it by renaming the cert from whatever.pem to whatever.crt. Commented Oct 3, 2015 at 7:19
  • ref manuals.gfi.com/en/kerio/connect/content/server-configuration/… Commented Jul 18, 2018 at 3:09
  • 3
    FYI, I had a cert file named .cer, and that didn't work. I had to rename it to .crt for it to be recognized. Commented Mar 1, 2019 at 19:10
110

Non Interactive Approach

For use in a non-interactive context (e.g. a chef recipe) you can use the following sequence.

sudo cp my.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates
  • Tested and works on debian 5/6 & Ubuntu 14.04.
  • For more information, see man update-ca-certificates

This method is preferred over @Drav's method, since /usr/share/ is typically reserved for files added by the OS / apt-get.

3
  • 5
    It is better to copy the files to /usr/local/share/ca-certificates/ as mentioned in the man pages Commented Feb 4, 2016 at 10:20
  • 8
    FYI the A must be a .crt, I found .cert claimed it was added but did not help Commented Dec 13, 2016 at 3:53
  • will this work with Chrome? Commented Oct 9, 2023 at 20:45
16

Fedora

On Fedora 23, add the .pem or .der file to /etc/pki/ca-trust/source/anchors/ and run sudo update-ca-trust extract.

See man update-ca-trust for details, e.g. whether to use /etc or /usr.

Alpine

Add the .pem to /usr/local/share/ca-certificates/ and run update-ca-certificates.

The sources for this Alpine tooling live at https://github.com/alpinelinux/ca-certificates/blob/898ab81b51730dcd175069956d6e792385c9f457/update-ca.c#L18

More

Even between just Linux distributions, the location of the bundle and the mechanisms to add to it differ widely.

By way of example, a Linux Golang application would currently look in the following locations by default:

var certFiles = []string{
  "/etc/ssl/certs/ca-certificates.crt",                // Debian/Ubuntu/Gentoo etc.
  "/etc/pki/tls/certs/ca-bundle.crt",                  // Fedora/RHEL 6
  "/etc/ssl/ca-bundle.pem",                            // OpenSUSE
  "/etc/pki/tls/cacert.pem",                           // OpenELEC
  "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem", // CentOS/RHEL 7
  "/etc/ssl/cert.pem",                                 // Alpine Linux
}

(quoted from https://github.com/cert-manager/trust-manager/blob/main/design/20220722-publicbundle.md)

Good source of information on this is the Kubernetes cert-manager (https://cert-manager.io/).

11

In centos:

cp *.pem /etc/pki/ca-trust/source/anchors/
update-ca-trust extract
1
  • 1
    When I do openssl connect should I be specifying this /anchors folder? I'm still getting an error "self signed certs Commented Jul 13, 2018 at 13:52
9

Non Interactive Approach (Oct'18)
for recent debian based systems

There's a distinction between adding a cert to the host's store and activating it so that applications really utilize those. An existing cert in the store isn't necessarily used (although i have to admit that still a lot of packages are getting it wrong anyway)
This can get confusing when you setup a package which considers /etc/ca-certificate.conf and simply refuses to use your cert although it has been added without error. You need to tell update-ca-certificates explicitly to (not just copy but) activate the cert by adding it to /etc/ca-certificate.conf or /etc/ca-certificate/update.d.

CERT=mycert.crt
cp /mypath/to/$CERT /usr/share/ca-certificates/$CERT
    # notice the + sign which tells to activate the cert!!!
echo "+$CERT" >/etc/ca-certificates/update.d/activate_my_cert
dpkg-reconfigure ca-certificates;

Now here it gets confusing as there's a way to implicitly trust a certificate by using a different path:

CERT=mycert.crt
cp /mypath/to/$CERT /usr/local/share/ca-certificates/$CERT
update-ca-certificates;
1
sudo cp my.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates

These 2 lines above does not work with me at the first time.

After investigation, it turned out that many certificates are excludes in /etc/ca-certificates.conf because the line starts by !

So i have to remove the 1st character in all lines which starts by !

sudo sed -i '/^!/s/^.//g' /etc/ca-certificates.conf
sudo update-ca-certificates

Now curl works without the need of --cacert option !!

1
  • 12
    You've just re-enabled all of the certs that were disabled, e.g., ones from bad actors or expired. That was not clever Commented Oct 29, 2020 at 21:52

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.