How do I install a root certificate?

Installing a root/CA Certificate

Given a CA certificate file foo.crt, follow these steps to install it on Ubuntu:

1. Create a directory for extra CA certificates in /usr/share/ca-certificates:

   sudo mkdir /usr/share/ca-certificates/extra
   

2. Copy the CA .crt file to this directory:

   sudo cp foo.crt /usr/share/ca-certificates/extra/foo.crt
   

3. Let Ubuntu add the .crt file's path relative to /usr/share/ca-certificates to /etc/ca-certificates.conf:

   sudo dpkg-reconfigure ca-certificates
   

   To do this non-interactively, run:

   sudo update-ca-certificates
   

In case of a .pem file on Ubuntu, it must first be converted to a .crt file:

openssl x509 -in foo.pem -inform PEM -out foo.crt

Given a CA certificate file 'foo.crt', follow these steps to install it on Ubuntu:

First, copy your CA to dir /usr/local/share/ca-certificates/

sudo cp foo.crt /usr/local/share/ca-certificates/foo.crt

then, update CA store

sudo update-ca-certificates

That's all. You should get this output:

Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d....
Adding debian:foo.pem
done.
done.

No file is needed to edit. Link to your CA is created automatically.

Please note that the certificate filenames have to end in .crt, otherwise the update-ca-certificates script won't pick up on them.

This procedure works also in newer versions: manuals.

Install a Certificate Authority on Ubuntu

I have tested this on Ubuntu 14.04.

Here is my solution, I looked and looked for a long time trying to figure out how to get this to work.

1. Extract the .cer from browser. I used IE 11.
   • Settings -> Internet Options -> Intermediate Certificate Authorities
   • Select The Certificate Authority You Want To Export (certutil -config - -ping will show you the ones you are using if you are behind a corporate proxy)
   • Export -> Select The Format You Want To Use: DER Encoded .cer
2. Get the .cer files to Ubuntu somehow
3. Convert to .crt openssl x509 -inform DER -in certificate.cer -out certificate.crt
4. Make extra directory sudo mkdir /usr/share/ca-certificates/extra
5. Copy certificates over sudo cp certificate.crt /usr/share/ca-certificates/extra/certificate.crt
6. sudo update-ca-certificates
7. If not, then you have to do what I did, go to sudo nano /etc/ca-certificates.conf
8. Scroll down and find your .cer and remove the ! from in front of the file name (update-ca-certificates doc) - if you don't find your certificate run dpkg-reconfigure ca-certificates
9. Run sudo update-ca-certificates
10. You may need to individually trust the CAs from Firefox, Chrome, etc.. , I needed it to work with Docker so after these steps it worked with Docker.