How do you add a certificate authority (CA) to Ubuntu?

186

101

My work has decided to issue their own certificate authority (CA) to handle different aspects of our work securely without paying for certificates.

  • Cryptographically sign emails
  • Encrypt email contents
  • Make access to things like the company IRC client-certificate based.
  • Revoke the keys of former employees automatically

They sent me a .pem file, and I'm not sure how to add it to my Ubuntu install. The instructions sent were: "Double-clicking on it on a Mac should install it." 

How do I proceed? Do I need to do something with OpenSSL to create a .key, .csr, or .crt file?

Xeoncross

Posted 2012-06-15T16:14:17.410

Reputation: 3 274

3the comment "The instructions sent were: "Double-clicking on it on a Mac should install it."" made my day – mzoll – 2019-09-19T09:43:14.143

Answers

253

Installing a CA

Copy your certificate in PEM format (the format that has ----BEGIN CERTIFICATE---- in it) into /usr/local/share/ca-certificates and name it with a .crt file extension.

Then run sudo update-ca-certificates.

Caveats: This installation only affects products that use this certificate store. Some products may use other certificate stores; if you use those products, you'll need to add this CA certificate to those other certificate stores, too. (Firefox Instructions, Chrome Instructions, Java Instructions)

Testing The CA

You can verify if this worked by looking for the certificate that you just added in /etc/ssl/certs/ca-certificates.crt (which is just a long list of all of your trusted CA's concatenated together).

You can also use OpenSSL's s_client by trying to connect to a server that you know is using a certificate signed by the CA that you just installed.

$ openssl s_client -connect foo.whatever.com:443 -CApath /etc/ssl/certs

CONNECTED(00000003)
depth=1 C = US, ST = Virginia, O = "Whatever, Inc.", CN = whatever.com, emailAddress = admin@whatever.com
verify return:1
depth=0 C = US, ST = Virginia, L = Arlington, O = "Whatever, Inc.", CN = foo.whatever.com
verify return:1
---
Certificate chain
 0 s:/C=US/ST=Virginia/L=Arlington/O=Whatever, Inc./CN=foo.whatever.com
   i:/C=US/ST=Virginia/O=Whatever, Inc./CN=whatever.com/emailAddress=admin@whatever.com

... snip lots of output ...

    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1392837700
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)

The first thing to look for is the certificate chain near the top of the output. This should show the CA as the issuer (next to i:). This tells you that the server is presenting a certificate signed by the CA you're installing.

Second, look for the verify return code at the end to be set to 0 (ok).

Mark E. Haase

Posted 2012-06-15T16:14:17.410

Reputation: 3 243

4this one actually works – Sabareesh Kkanan – 2015-08-04T20:14:54.397

1Thanks for noting that firefox / chrome do not use the default cert store. – Tim Strijdhorst – 2015-12-10T16:26:57.020

5Note that update-ca-certificates can be very finicky (probably by design). mycert.pem.crt did NOT work, but mycert.crt did. I also think that it needs to be /usr/local/share/ca-certificates, not /usr/share/ca-certificates (despite what comments said in the /etc/ca-certificates.conf). – labyrinth – 2015-12-15T17:39:44.773

2Thanks for the crt extension comment, that was the secret to getting this work for me, I was given a cert with a cert extension and was confused as to why nothing was working. – Ransom Briggs – 2016-03-29T16:31:53.287

3One caveat: s_client doesn't send SNI by default and the server may need SNI especially if it supports virtual hosts/sites with different certs; for this case add -servername foo.whatever.com. Or if it's a web server use (modern versions of) curl or wget which do SNI automatically. – dave_thompson_085 – 2016-05-14T03:40:51.490

It is actually good to complement with @missmah's answer: After copying the certificates into /usr/share/ca-certificates you can execute sudo dpkg-reconfigure ca-certificates so you don't need to manually add the certificate lines in /etc/ca-certificates.conf and don't need to execute update-ca-certificates, since dpkg already does these 2 steps. – jyz – 2016-07-28T14:54:45.357

This worked to get the certs in /etc/ssl/certs/ca-certificates.crt but apt is still failing on everything saying "Data from such a repository can't be authenticated" Is this a different problem? – endolith – 2016-10-14T15:28:35.480

@endolith Probably a different problem. apt often uses HTTP links (not HTTPS) so that certificate authorities are usually not involved. Instead, apt uses GPG keys to authenticate downloaded files. You should try searching for Q&A related to apt keys, sources.list, etc. or ask a new a question. – Mark E. Haase – 2016-10-14T15:38:17.203

@mehaase Ok thanks, it's a corporate firewall issue, I thought it was just SSL interception like everything else – endolith – 2016-10-14T15:56:53.183

IT at work had set them selves up as CA, and their automatic rollout had installed the certificat in IE and chrome. But Firefox, virtual machines and everything else didn't know about the certificate. This answer was very helpful in determining and fixing the issue. Thanks a bunch – Eldamir – 2017-03-27T10:39:39.420

The fact that the certificate should be in PEM format but named .crt was the thing that helped me, thanks for the detailed answer, I was able to convert to PEM and finally get it working. – StormPooper – 2017-12-14T12:21:27.460

this really helpfull for me. i already spend 2 days for this missconfigure. thanks mate – plonknimbuzz – 2018-12-10T07:21:28.270

I'm still getting "verify error:num=20:unable to get local issuer certificate" when running 'openssl s_client -connect company.server:443' - Running my curl commands with -k is starting to look like the only intelligible approach to certificate handling... – Alex Jansen – 2019-01-08T23:15:03.747

I had to add --fresh to get it to work. e.g. sudo update-ca-certificates --fresh – Elijah Lynn – 2019-06-25T04:13:35.190

69

man update-ca-certificates:

update-ca-certificates  is a program that updates the directory /etc/ssl/certs to hold SSL
certificates  and  generates  ca-certificates.crt,  a  concatenated  single-file  list  of
certificates.

It  reads  the  file  /etc/ca-certificates.conf.  Each  line  gives  a  pathname  of  a CA
certificate under /usr/share/ca-certificates that should be  trusted.   Lines  that  begin
with  "#"  are  comment lines and thus ignored.  Lines that begin with "!" are deselected,
causing the deactivation of the CA certificate in question. Certificates must have a  .crt
extension in order to be included by update-ca-certificates.

Furthermore  all  certificates  with  a  .crt  extension  found below /usr/local/share/ca-
certificates are also included as implicitly trusted.

From the above, I would infer that the preferred way to get local certificate files into the trusted store is to put them into /usr/local/share/ca-certificates, and then run update-ca-certificates. You do not need to touch /etc/ssl/certs directly.

Steven Monday

Posted 2012-06-15T16:14:17.410

Reputation: 1 445

Thanks for the note @phyzome -- would not have been able to add my cert otherwise. – Seiyria – 2015-03-17T14:03:05.610

2I had to add --fresh to get it to work. e.g. update-ca-certificates --fresh – Elijah Lynn – 2019-06-25T04:13:07.970

23Naming the certificates with .crt extensions seemed to be required as well. – treat your mods well – 2013-03-05T23:12:27.810

15

The other answers regarding update-ca-certificates are correct for applications that read from the system certificate store. For Chrome and Firefox, and probably some others, the certificate must be put in the nssdb, the backend for the Mozilla NSS library.

From https://code.google.com/p/chromium/wiki/LinuxCertManagement:

For example, to trust a root CA certificate for issuing SSL server certificates, use

certutil -d sql:$HOME/.pki/nssdb -A -t "C,," -n <certificate nickname> -i <certificate filename>

Where <certificate nickname> is arbitrary, and <certificate filename> is your .pem or .crt file.

Other helpful references:

Johann

Posted 2012-06-15T16:14:17.410

Reputation: 451

thanks. It works on Ubuntu 16.04 for Chrome 53.0.2785.143, but Firefox 49 seems to have separate store db and must be added from about:preferences#advanced [View Certiticates] -> [Authorities] -> [Import]

More about firefox cert store. http://askubuntu.com/a/248326/535154

– mauron85 – 2016-10-12T12:31:04.920

By the way, if you want to install cert before first run of Chrome (i.e. while .pki/ dir is still missing), you must first create the nssdb: mkdir -p $HOME/.pki/nssdb && chmod -R 0700 $HOME/.pki && certutil -d sql:$HOME/.pki/nssdb -N --empty-password – akavel – 2016-12-15T16:21:19.017

There is a way to get Chrome and Firefox to read from the system certificate store. See my answer: https://superuser.com/a/1312419/506107

– wheeler – 2018-04-10T01:05:31.197

This is fantastic, thank you. Can now use Slack and Teams Preview behind Corporate SSL Decrypt flawlessly. – Bevan – 2020-01-21T23:01:01.897

15

I had same issue, and I had to copy the .pem file to /usr/local/share/ca-certificates, renaming it as .crt. The .cer file can easily be converted to .pem, with openssl, for example, if you don't have the .pem.

After copying the file you must execute sudo update-ca-certificates.

greuze

Posted 2012-06-15T16:14:17.410

Reputation: 293

1openssl x509 -inform DER -in certificate.cer -out certificate.crt – webwurst – 2018-02-26T11:37:24.547

11

For newer builds based on Debian, you may need to run:

sudo dpkg-reconfigure ca-certificates

NOTE: sudo dpkg-reconfigure ca-certificates calls update-ca-certificates internally

You'll of course still need to copy the certificate (.crt file) to /usr/share/ca-certificates before you do any of this :)

missmah

Posted 2012-06-15T16:14:17.410

Reputation: 111

6

Building on dwmw2's answer, you can actually tell applications that use NSS for its certificate management to use the system trust store.

libnss3 by default ships with a read-only set of root CA certificates (libnssckbi.so), so most of the time you need to manually add them yourself to the local user trust store located in $HOME/.pki/nssdb. p11-kit offers a drop-in replacement for libnssckbi.so that acts as an adapter to the system-wide root certificates installed in /etc/ssl/certs.

Edit:

There seem to be more versions of libnssckbi.so out there than just in libnss3. The following is a script to find them all, back them up, and replace them with links to p11-kit:

sudo apt-get update && sudo apt-get install -y p11-kit libnss3
find / -type f -name "libnssckbi.so" 2>/dev/null | while read line; do
    sudo mv $line ${line}.bak
    sudo ln -s /usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so $line
done

Original instructions:

To do this, install p11-kit and libnss3 (if they are not already instealled):

sudo apt-get update && sudo apt-get install -y p11-kit libnss3

Then backup the existing libnssckbi.so provided by libnss3:

sudo mv /usr/lib/x86_64-linux-gnu/nss/libnssckbi.so /usr/lib/x86_64-linux-gnu/nss/libnssckbi.so.bak

Finally, create the symbolic link:

sudo ln -s /usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so /usr/lib/x86_64-linux-gnu/nss/libnssckbi.so

To confirm that it worked, you can run ll /usr/lib/x86_64-linux-gnu/nss/libnssckbi.so and it should show the link:

lrwxrwxrwx 1 root root 49 Apr  9 20:28 /usr/lib/x86_64-linux-gnu/nss/libnssckbi.so -> /usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so

Now, if you add a certificate to the CA store using update-ca-certificates, those certificates will now be available to applications using NSS (libnss3) such as Chrome.

wheeler

Posted 2012-06-15T16:14:17.410

Reputation: 201

I've been fighting Ubuntu 18.04 to try and get this to work for the past 3 days and it won't work for whatever reason. I link the p11-kit-trust.so to the libnssckbi.so but when I do that there are no certificates at all any longer. Any website I go to thats https enabled (which is basically all of them) prompt that there is a security issue. Is there something obvious I'm missing? – Kevin Vasko – 2019-10-25T21:34:03.010

3

As noted, various applications using NSS have their own certificate store. As things stand on Ubuntu, you have to manually use certutil to add your CAs for each application, for each user.

In other distributions like Fedora, this kind of thing Just Works™ and you should file a bug against any applications which doesn't automatically trust the CAs you install with update-ca-trust.

You can fix this in Ubuntu too by installing the p11-kit-modules package and then replacing the NSS built-in trust roots module with p11-kit-trust.so, by making a symbolic link for example from /usr/lib/firefox/libnssckbi.so to /usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so

Then you will get the system's configured trust roots, not some hard-coded ones. Note that Ubuntu ships multiple different copies of that libnssckbi.so library with the hard-coded trust roots, and you have to replace all of them!

cf. https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1647285

dwmw2

Posted 2012-06-15T16:14:17.410

Reputation: 171

When I did sudo find / -type f -name "libnssckbi.so", It found libnssckbi.so in three places: /usr/lib/thunderbird/, /usr/lib/firefox/, and /usr/lib/x86_64-linux-gnu/nss/. So you are saying that I should link the libnssckbi.so in all three of those folders to p11-kit-trust.so? – wheeler – 2018-04-10T00:06:43.027

1Okay, just confirmed that linking /usr/lib/x86_64-linux-gnu/nss/libnssckbi.so -> /usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so worked like a CHARM. I was able to add a certificate into /usr/local/share/ca-certificates, run sudo update-ca-certificates, and PRESTO, Chrome started to accept the self-signed certificates. – wheeler – 2018-04-10T00:32:10.573

@dwmw2 I've been fighting Ubuntu 18.04 to try and get this to work for the past 3 days and it won't work for whatever reason. I link the p11-kit-trust.so to the libnssckbi.so but when I do that there are no certificates at all any longer. Any website I go to thats https enabled (which is basically all of them) prompt that there is a security issue. Is there something obvious I'm missing? – Kevin Vasko – 2019-10-25T21:44:17.693

1

Seriously stupid answer to add here, but I had spent 2 hours going back and forth with certutils in linux... I was sure everything was correct:

hutber@hutber-mint /var/www/asos-mvt-framework $ certutil -L -d sql:${HOME}/.pki/nssdb

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

anyproxy                                                     CT,, 
rootCA                                                       CT,, 
myasos                                                       CT,,

But still, in chrome nothing was working. I tried everything, in the end....

Restarting Chrome

Was the key to my success after following: Steven Monday's advice

Jamie Hutber

Posted 2012-06-15T16:14:17.410

Reputation: 323

Asked: 2012-06-15T16:14:17.410

Viewed: 436 495 times

Active: 2020-02-14T13:22:25.013