Adding custom root CA certificates to Debian is rather easy, but there are some non-obvious pitfalls that you might encounter. Here I’ve tried to collect most things to a single post for your convenience.
Adding Custom Root CA Certificates
Debian allows you to import custom root CA certificates rather easily by just adding them to the folder
/usr/local/share/ca-certificates and running a single command,
But for claritys sake, I recommend that you create a subdirectory for each CA which makes things easier to keep track off.
sudo mkdir /usr/local/share/ca-certificates/my-custom-ca
Then copy your root CA certificate into the folder you just created.
Debian only supports certificates in the X509 form, aka.
.crt, so if your certificate is in the
.cer format, see my guide on how to convert it below.
sudo cp rootCA.crt /usr/local/share/ca-certificates/my-custom-ca/
Then you’ll need to run the
update-ca-certificates command to make Debian load the certificates into it’s Trusted Root Certificate Store.
You should see an output similar to this
Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done. Running hooks in /etc/ca-certificates/update.d... done.
Converting Certificates to .crt
Sometimes you’ll run into the problem that the root CA certificate that has been provided to you isn’t in the
.crt format, but instead in the similar but not quite equivalent
.cer format. Converting them is however quite easy using OpenSSL, just make sure that you use the full filepath for the
openssl x509 -inform PEM -in <fullfilepath>/certificate.cert -out certificate.crt
Removing Custom Root CA Certificates
Removing your custom root CA certificate is even simpler, just delete the certificate from the folder you created earlier, and then ask Debian to update the CA certificate store, but completely this time
sudo update-ca-certificates --fresh