Adding custom root CA certificates to Debian is rather easy, but there are some non-obvious pitfalls that you might encounter. Here I’ve tried to collect most things to a single post for your convenience.

Adding Custom Root CA Certificates

Debian allows you to import custom root CA certificates rather easily by just adding them to the folder /usr/local/share/ca-certificates and running a single command, update-ca-certificates

But for claritys sake, I recommend that you create a subdirectory for each CA which makes things easier to keep track off.

sudo mkdir /usr/local/share/ca-certificates/my-custom-ca

Then copy your root CA certificate into the folder you just created.
Debian only supports certificates in the X509 form, aka. .crt, so if your certificate is in the .cer format, see my guide on how to convert it below.

sudo cp rootCA.crt /usr/local/share/ca-certificates/my-custom-ca/

Then you’ll need to run the update-ca-certificates command to make Debian load the certificates into it’s Trusted Root Certificate Store.

sudo update-ca-certificates

You should see an output similar to this

Updating certificates in /etc/ssl/certs...
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.

Converting Certificates to .crt

Sometimes you’ll run into the problem that the root CA certificate that has been provided to you isn’t in the .crt format, but instead in the similar but not quite equivalent .cer format. Converting them is however quite easy using OpenSSL, just make sure that you use the full filepath for the .cer certificate.

openssl x509 -inform PEM -in <fullfilepath>/certificate.cert -out certificate.crt

Removing Custom Root CA Certificates

Removing your custom root CA certificate is even simpler, just delete the certificate from the folder you created earlier, and then ask Debian to update the CA certificate store, but completely this time

sudo update-ca-certificates --fresh

Categories: linux, Tech

Tags: ca-cert, debian, linux, trusted root certificate