Add Trusted Root CA certificate on Ubuntu

Marc-André Moreau published on
1 min, 181 words

Do you need to add a custom trusted root CA on Ubuntu, and somehow always forget the correct procedure? Here's a quick reminder to use as reference!

Certificates need to be in PEM (textual) format, with the .crt extension. Use the file command to tell if the certificate file is using the DER (binary) format:

$ file -b my-root-ca.cer

If the file command returns "data", or anything other than "PEM certificate", then convert it using OpenSSL:

openssl x509 -inform der -in my-root-ca.cer -out my-root-ca.crt

The .cer and .der file extensions are normally used for binary encoding, but the .crt file extension is used for both binary and textual encodings. Ensure that the resulting certificate uses PEM encoding with the .crt file extension:

$ file -b my-root-ca.crt
PEM certificate

Move the certificate file to '/usr/local/share/ca-certificates/' and then call update-ca-certificates:

sudo mv my-root-ca.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates

That's it, your root CA certificate should now be trusted system-wide!