Posts Tagged ‘cacerts’

How to install / add new root certificates on Debian, Ubuntu, Mint Linux

Saturday, October 21st, 2017

add-install-new-root-ca-certificates-to-debian-ubuntu-linux-howto

How to add / Installing a root/CA Certificate on Debian, Ubuntu, Mint Linux


 Because of various auditing failures and other security issues, the CAcert root certificate set is slowly disappearing from the Ubuntu and Debian ‘ca-certificates’ package.

That's really tricky because if you're a system administrator or have a bunch of programmers whose needs is to install a new set of root certificates for their freshly develped Application or you have to make a corporate certificates added to debian rootca, then the good news is it is quite easy to install new certificates to deb based distributions.

Given a CA certificate file foo.crt, follow these steps to install it on Debian / Ubuntu:

    Create a directory for extra CA certificates in /usr/share/ca-certificates:
 

    debian:~# mkdir /usr/share/ca-certificates/extra-certificates

    Copy the CA .crt file to this directory:
 

    debian:~# cp foo.crt /usr/share/ca-certificates/extra-certificates/foo.crt

    Let Debian / Ubuntu add the .crt file's path relative to /usr/share/ca-certificates to /etc/ca-certificates.conf (the file lists certificates that you wish to use or to ignore to be installed in /etc/ssl/certs)
 

    debian:~# dpkg-reconfigure ca-certificates

In case you want to include a .pem file to the list of trustable certificates on Debian / Ubuntu, it must first be converted to a .crt file first, you can do that with:
 

    debian:~# openssl x509 -in foo.pem -inform PEM -out foo.crt


Lets say you want to add some custom Root certificate for exapmle cacert.org

   debian:~# mkdir /usr/local/share/ca-certificates/cacert.org
   debian:~# cd /usr/local/share/ca-certificates/cacert.org
   debian:~# mkdir /usr/local/share/ca-certificates/cacert.org
   debian:~# wget -P /usr/local/share/ca-certificates/cacert.org http://www.cacert.org/certs/root.crt http://www.cacert.org/certs/class3.crt

Then once again update the ca certificates bundle

   debian:~# update-ca-certificates