Windows OS Hub
  • Windows
    • Windows 11
    • Windows Server 2022
    • Windows 10
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
  • PowerShell
  • Linux
  • Home
  • About

Windows OS Hub

  • Windows
    • Windows 11
    • Windows Server 2022
    • Windows 10
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
  • PowerShell
  • Linux

 Windows OS Hub / Linux / Adding Trusted Root Certificates on Linux

March 11, 2024

Adding Trusted Root Certificates on Linux

This article will explain how to add (install) a new certificate to the trusted root certificate list on Linux.

Contents:
  • How to Install the Root Certificate in the Trust Store on Linux?
  • Adding a Trusted CA Certificate to Chrome and Firefox

Let’s say you are using a self-signed SSL/TLS certificate but don’t want to get SEC_ERROR_UNKNOWN_ISSUER error on the client browser whenever your site is opened.
SEC_ERROR_UNKNOWN_ISSUER error on browser

In this example, we will install a self-signed certificate from an IIS website running on a Windows Server.

To check if your Linux host cannot verify (and therefore does not trust) the SSL certificate on a certain site, run the following command:

$ curl –I https://woshub.local

curl: (60) SSL certificate problem: unable to get local issuer certificate. More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above.

Validate website certificate using cURL

In this case, we need to add this website’s Root CA to the list of trusted certificates on Linux.

How to Install the Root Certificate in the Trust Store on Linux?

If you want to update your trusted certificate store on Linux, the first thing you need is the certificate’s PEM file with an *.CRT extension. A PEM certificate s a text file in base64 format that starts with the line —-BEGIN CERTIFICATE—– and ends with ——END CERTIFICATE——.

PEM (X. 509 certificate) file with .CRT extension

If you have your certificate’s file stored in DER format, you can convert it into PEM using the openssl command:

$ openssl x509 -in my_trusted_sub_ca.der -inform der -out my_trusted_sub_ca.cer

Now let’s see how you can add your CA root certificate to the trust list in DEB-based Linux distros (Ubuntu, Debian, Mint, Kali Linux, etc.).

First, copy your certificate files to the certificate store folder (/usr/local/share/ca-certificates/):

$ sudo cp my_trusted_sub_ca.crt /usr/local/share/ca-certificates/
$ sudo cp my_trusted_root_ca.crt /usr/local/share/ca-certificates/

Update the certificate store using the command:

$ sudo update-ca-certificates -v

If the command is not found, you need to install the package on your Ubuntu/Debian host:

$ sudo apt-get install -y ca-certificates

update-ca-certificates - updates the directory /etc/ssl/certs to hold SSL certificates and generates ca-certificates.crt

If the certificates have been successfully added, you will see a message saying that the certificate has been copied to /etc/ssl/certs/:

Updating certificates in /etc/ssl/certs…
2 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d
Here’s another way to add new certificates to the trusted store on Linux:

$ sudo dpkg-reconfigure ca-certificates

Check out the list of certificates and select the ones you want to add to the trusted ones.

dpkg-reconfigure ca-certificates

On Linux, the list of trusted certificates is stored in the file /etc/ssl/certs/ca-certificates.crt. Both of the above commands will update this file and add information about the new certificates.

Use the following command to make sure that your certificates have been added to the trust list:

$ awk -v cmd='openssl x509 -noout -subject' ' /BEGIN/{close(cmd)};{print | cmd}' < /etc/ssl/certs/ca-certificates.crt | grep -i YourCASubj

Specify the Common Name part of your certificate instead of YourCASubj to search the store by subject.

list trusted certificates linux

You can see if your OS trusts the certificate by using the command:

$ openssl verify my_trusted_sub_ca.crt

openssl verify certificate chain

If your Linux host does not trust the certificate, you will get an error:

error 20 at 0 depth lookup: unable to get local issuer certificate
error my_trusted_sub_ca.crt: verification failed

You can use curl to ensure that the site uses a trusted SSL certificate:

$ curl –I https://woshub.local

Everything is alright, the certificate is trusted { HTTPOnly: secure }.

check for trusted ssl connection with curl on linux

Note that a certificate file can also be added to the trust list manually:

$ sudo mkdir /usr/share/ca-certificates/extra
$ sudo cp my.crt /usr/share/ca-certificates/extra/mycert1.crt
$ sudo vim /etc/ca-certificates.conf

exta/mycert1.crt

$ sudo update-ca-certificates

To remove the certificate from the trusted list, simply delete your .crt file:

$ sudo rm /usr/local/share/ca-certificates/yourcert.crt

And update the CA store:

$ sudo update-ca-certificates --fresh

To add a certificate to the trust list on RPM-based Linux distros (CentOS, Oracle, RHEL, Rocky Linux, Fedora), use the following procedure:

  1. Instal the ca-certificates package: # yum install ca-certificates
  2. Copy the certificate file to /etc/pki/ca-trust/source/anchors/: # cp mycert.crt /etc/pki/ca-trust/source/anchors/
  3. Update the certificate trusted store:
    # update-ca-trust force-enable
    # update-ca-trust extract
And here’s a similar article on managing the trusted root certificate store on Windows.

Adding a Trusted CA Certificate to Chrome and Firefox

After performing the above steps, all system tools will trust websites that use this CA. However, this will not affect the Mozilla Firefox or Google Chrome web browsers, as they will still show a warning message about the untrusted certificate.

The thing is that Firefox, Chromium, Google Chrome, Vivaldi, and even Mozilla Thunderbird e-mail client don’t use the Linux system certificate store. The certificate store for these programs can be found in the user’s directory in the cert8.db (for Mozilla) or cert9.db file (for Chromium and Chrome). To update these certificate stores, you can use the certutil tool from the libnss3-tools package.

First, install the package:

$ sudo apt install libnss3-tools

install libnss3-tools on linux

Now run the following bash script to add your certificates to the store via NSS:

#!/bin/bash
certfile="my_rusted_root_ca.crt"
certname="My Root CA1"
for certDB in $(find ~/ -name "cert8.db")
do
certdir=$(dirname ${certDB});
certutil -A -n "${certname}" -t "TCu,Cu,Tu" -i ${certfile} -d dbm:${certdir}
done
for certDB in $(find ~/ -name "cert9.db")
do
certdir=$(dirname ${certDB});
certutil -A -n "${certname}" -t "TCu,Cu,Tu" -i ${certfile} -d sql:${certdir}
done

Once that’s done, websites with the given CA will be trusted by all browsers.

1 comment
4
Facebook Twitter Google + Pinterest
Linux
previous post
MS SQL Server Setup Stucks on Install/Uninstall
next post
Wi-Fi (Internet) Disconnects After Sleep or Hibernation on Windows 10/11

Related Reading

Fixing ‘The Network Path Was Not Found’ 0x80070035...

August 31, 2023

How to Fix the ‘Too Many Open Files’...

March 13, 2024

How to Use Ansible to Manage Windows Machines

March 12, 2024

Recovering Files from BitLocker Encrypted Drive

March 13, 2024

Installing an Open Source KMS Server (Vlmcsd) on...

March 13, 2024

How to Access VMFS Datastore from Linux, Windows,...

March 11, 2024

Turn Linux Computer into Wi-Fi Access Point (Hotspot)

March 11, 2024

Using iPerf to Test Network Speed and Bandwidth

March 12, 2024

1 comment

jennifer February 20, 2023 - 7:44 am

Thanks a lot! Your tutorial helps me a lot to add the certificate.

Reply

Leave a Comment Cancel Reply

join us telegram channel https://t.me/woshub
Join WindowsHub Telegram channel to get the latest updates!

Recent Posts

  • Map a Network Drive over SSH (SSHFS) in Windows

    May 13, 2025
  • Configure NTP Time Source for Active Directory Domain

    May 6, 2025
  • Cannot Install Network Adapter Drivers on Windows Server

    April 29, 2025
  • Change BIOS from Legacy to UEFI without Reinstalling Windows

    April 21, 2025
  • How to Prefer IPv4 over IPv6 in Windows Networks

    April 9, 2025
  • Load Drivers from WinPE or Recovery CMD

    March 26, 2025
  • How to Block Common (Weak) Passwords in Active Directory

    March 25, 2025
  • Fix: The referenced assembly could not be found error (0x80073701) on Windows

    March 17, 2025
  • Exclude a Specific User or Computer from Group Policy

    March 12, 2025
  • AD Domain Join: Computer Account Re-use Blocked

    March 11, 2025

Follow us

  • Facebook
  • Twitter
  • Telegram
Popular Posts
  • Fixing ‘The Network Path Was Not Found’ 0x80070035 Error Code on Windows
  • Recovering Files from BitLocker Encrypted Drive
  • Installing an Open Source KMS Server (Vlmcsd) on Linux
  • How to Access VMFS Datastore from Linux, Windows, or ESXi
  • Using iPerf to Test Network Speed and Bandwidth
  • Install Any OS from ISO Image over Network with iVentoy
  • Moving WSL to Another Drive in Windows
Footer Logo

@2014 - 2024 - Windows OS Hub. All about operating systems for sysadmins


Back To Top