Thursday, February 17, 2011

How to add CA certificate to Common CA certificates

Debian package ca-certificates installs a number of common CA certificates, well known. Your certificate authority is not there, so you will get a warning messages every time it used by browser, mail client, IM, etc. Here are few simple steps to install your own CA certificate.
apt-get install ca-certificates
Copy CA certificate and reconfigure ca-certificates package:
cp cacert.pem /usr/share/ca-certificates
dpkg-reconfigure ca-certificates
You will be asked "Trust new certificates from certificate authorities?", choose Ask than from the list of activated certificates mark yours. This will rebuild certificates database with your CA certificate.


  1. Thanks for the post!

    Just to update for any future readers, Debian recommends a slightly different method for handling this - from /usr/share/doc/ca-certificates/README.Debian:

    If you want to install local certificate authorities to be implicitly
    trusted, please put the certificate files as single files ending with
    “.crt“ into “/usr/local/share/ca-certificates” and re-run
    “update-ca-certificates”. If you want to prepare a local package
    of your certificates, you should depend on “ca-certificates“, install
    the PEM files into “/usr/local/share/ca-certificates” as above and call
    “update-ca-certificates” in the package's “postinst“.

  2. on my raspberry pi (raspian) I needed to put the crt file in /usr/share/ca-certificates/ (without the /local/), despite what the readme said in /usr/share/doc/ca-certificates