Add Certificate Authorities on Ubuntu

Linux Nov 26, 2018

A little how-to on adding and trusting a certificate authority on Ubuntu (and possibly Debian, though I haven't checked).


First obtain a copy of the CA's certificate file in PEM format.

You can check if a certificate file is in this format by opening it in a text editor of your choice. When opened, if you see regular text characters (and not random symbols) and the file starts -----BEGIN CERTIFICATE----- and ends -----END CERTIFICATE-----, it's in PEM format.

From here onwards, I'm assuming your certificate file is called ca.crt, if it isn't, change the commands accordingly.

If you want to view the contents of the certificate, you can do so as follows with OpenSSL

$ openssl x509 -in ca.crt -text

Installing and Trusting the CA

Copy the certificate file to /usr/share/ca-certificates, or a subdirectory of it.

# cp ca.crt /usr/share/ca-certificates

Then reconfigure the ca-certificates package to trust it.

# dpkg-reconfigure ca-certificates

This will launch a text-based wizard asking you if you want to trust new certificate authorities. It's best to select ask in case a rogue CA has made it's way in there without your knowledge.


Use the arrow keys to select ask and press enter to confirm. Next you will be shown a list of CAs, any with a star in the brackets ([*]) on the left are trusted. To to toggle trust, press space. After trusting your new CA, press enter to confirm and the new CA will be installed.


Great! You've successfully subscribed.
Great! Next, complete checkout for full access.
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.