How do you add a certificate authority (CA) to Ubuntu?

Question

My work has decided to issue their own certificate authority (CA) to handle different aspects of our work securely without paying for certificates.

• Cryptographically sign emails
• Encrypt email contents
• Make access to things like the company IRC client-certificate based.
• Revoke the keys of former employees automatically

They sent me a .pem file, and I'm not sure how to add it to my Ubuntu install. The instructions sent were: "Double-clicking on it on a Mac should install it." 

How do I proceed? Do I need to do something with OpenSSL to create a .key, .csr, or .crt file?

Answer 1

Installing a CA

Copy your certificate in PEM format (the format that has ----BEGIN CERTIFICATE---- in it) into /usr/local/share/ca-certificates and name it with a .crt file extension.

Then run sudo update-ca-certificates.

Caveats: This installation only affects products that use this certificate store. Some products may use other certificate stores; if you use those products, you'll need to add this CA certificate to those other certificate stores, too. (Firefox Instructions, Chrome Instructions, Java Instructions)

Testing The CA

You can verify if this worked by looking for the certificate that you just added in /etc/ssl/certs/ca-certificates.crt (which is just a long list of all of your trusted CA's concatenated together).

You can also use OpenSSL's s_client by trying to connect to a server that you know is using a certificate signed by the CA that you just installed.

$ openssl s_client -connect foo.whatever.com:443 -CApath /etc/ssl/certs
CONNECTED(00000003)
depth=1 C = US, ST = Virginia, O = "Whatever, Inc.", CN = whatever.com, emailAddress = admin@whatever.com
verify return:1
depth=0 C = US, ST = Virginia, L = Arlington, O = "Whatever, Inc.", CN = foo.whatever.com
verify return:1

Certificate chain
 0 s:/C=US/ST=Virginia/L=Arlington/O=Whatever, Inc./CN=foo.whatever.com
   i:/C=US/ST=Virginia/O=Whatever, Inc./CN=whatever.com/emailAddress=admin@whatever.com
... snip lots of output ...
Key-Arg   : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1392837700
Timeout   : 300 (sec)
Verify return code: 0 (ok)

The first thing to look for is the certificate chain near the top of the output. This should show the CA as the issuer (next to i:). This tells you that the server is presenting a certificate signed by the CA you're installing.

Second, look for the verify return code at the end to be set to 0 (ok).

Answer 2

man update-ca-certificates:

update-ca-certificates  is a program that updates the directory /etc/ssl/certs to hold SSL
certificates  and  generates  ca-certificates.crt,  a  concatenated  single-file  list  of
certificates.

It  reads  the  file  /etc/ca-certificates.conf.  Each  line  gives  a  pathname  of  a CA
certificate under /usr/share/ca-certificates that should be  trusted.   Lines  that  begin
with  "#"  are  comment lines and thus ignored.  Lines that begin with "!" are deselected,
causing the deactivation of the CA certificate in question. Certificates must have a  .crt
extension in order to be included by update-ca-certificates.

Furthermore  all  certificates  with  a  .crt  extension  found below /usr/local/share/ca-
certificates are also included as implicitly trusted.

From the above, I would infer that the preferred way to get local certificate files into the trusted store is to put them into /usr/local/share/ca-certificates, and then run update-ca-certificates. You do not need to touch /etc/ssl/certs directly.

Answer 3

The other answers regarding update-ca-certificates are correct for applications that read from the system certificate store. For Chrome and Firefox, and probably some others, the certificate must be put in the nssdb, the backend for the Mozilla NSS library.

From https://code.google.com/p/chromium/wiki/LinuxCertManagement:

For example, to trust a root CA certificate for issuing SSL server certificates, use

certutil -d sql:$HOME/.pki/nssdb -A -t "C,," -n <certificate nickname> -i <certificate filename>

Where <certificate nickname> is arbitrary, and <certificate filename> is your .pem or .crt file.

Other helpful references:

• General description: https://wiki.archlinux.org/index.php/Network_Security_Services
• certutil man page, describing the parameters used above: https://developer.mozilla.org/en-US/docs/NSS_reference/NSS_tools_:_certutil

Answer 4

I had same issue, and I had to copy the .pem file to /usr/local/share/ca-certificates, renaming it as .crt. The .cer file can easily be converted to .pem, with openssl, for example, if you don't have the .pem.

After copying the file you must execute sudo update-ca-certificates.

Answer 5

For newer builds based on Debian, you may need to run:

sudo dpkg-reconfigure ca-certificates

NOTE: sudo dpkg-reconfigure ca-certificates calls update-ca-certificates internally

You'll of course still need to copy the certificate (.crt file) to /usr/share/ca-certificates before you do any of this :)

Answer 6

Building on dwmw2's answer, you can actually tell applications that use NSS for its certificate management to use the system trust store.

libnss3 by default ships with a read-only set of root CA certificates (libnssckbi.so), so most of the time you need to manually add them yourself to the local user trust store located in $HOME/.pki/nssdb. p11-kit offers a drop-in replacement for libnssckbi.so that acts as an adapter to the system-wide root certificates installed in /etc/ssl/certs.

Edit:

There seem to be more versions of libnssckbi.so out there than just in libnss3. The following is a script to find them all, back them up, and replace them with links to p11-kit:

sudo apt-get update && sudo apt-get install -y p11-kit libnss3
find / -type f -name "libnssckbi.so" 2>/dev/null | while read line; do
    sudo mv $line ${line}.bak
    sudo ln -s /usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so $line
done

Original instructions:

To do this, install p11-kit and libnss3 (if they are not already instealled):

sudo apt-get update && sudo apt-get install -y p11-kit libnss3

Then backup the existing libnssckbi.so provided by libnss3:

sudo mv /usr/lib/x86_64-linux-gnu/nss/libnssckbi.so /usr/lib/x86_64-linux-gnu/nss/libnssckbi.so.bak

Finally, create the symbolic link:

sudo ln -s /usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so /usr/lib/x86_64-linux-gnu/nss/libnssckbi.so

To confirm that it worked, you can run ll /usr/lib/x86_64-linux-gnu/nss/libnssckbi.so and it should show the link:

lrwxrwxrwx 1 root root 49 Apr  9 20:28 /usr/lib/x86_64-linux-gnu/nss/libnssckbi.so -> /usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so

Now, if you add a certificate to the CA store using update-ca-certificates, those certificates will now be available to applications using NSS (libnss3) such as Chrome.

Answer 7

As noted, various applications using NSS have their own certificate store. As things stand on Ubuntu, you have to manually use certutil to add your CAs for each application, for each user.

In other distributions like Fedora, this kind of thing Just Works™ and you should file a bug against any applications which doesn't automatically trust the CAs you install with update-ca-trust.

You can fix this in Ubuntu too by installing the p11-kit-modules package and then replacing the NSS built-in trust roots module with p11-kit-trust.so, by making a symbolic link for example from /usr/lib/firefox/libnssckbi.so to /usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so

Then you will get the system's configured trust roots, not some hard-coded ones. Note that Ubuntu ships multiple different copies of that libnssckbi.so library with the hard-coded trust roots, and you have to replace all of them!

cf. https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1647285

Answer 8

Seriously stupid answer to add here, but I had spent 2 hours going back and forth with certutils in Linux. I was sure everything was correct:

hutber@hutber-mint /var/www/asos-mvt-framework $ certutil -L -d sql:${HOME}/.pki/nssdb
Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI
anyproxy                                                     CT,, 
rootCA                                                       CT,, 
myasos                                                       CT,, 

But still, in Chrome nothing was working. I tried everything. In the end, restarting Chrome was the key to my success after following Steven Monday's advice.