Adding a self-signed certificate to the "trusted list"

ssl curl wget certificates browser

376,362

Solution 1

The simple answer to this is that pretty much each application will handle it differently.

Also OpenSSL and GNUTLS (the most widely used certificate processing libraries used to handle signed certificates) behave differently in their treatment of certs which also complicates the issue. Also operating systems utilize different mechanisms to utilize "root CA" used by most websites.

That aside, giving Debian as an example. Install the ca-certificates package:

apt-get install ca-certificates

You then copy the public half of your untrusted CA certificate (the one you use to sign your CSR) into the CA certificate directory (as root):

cp cacert.crt /usr/share/ca-certificates

NOTE: Certificate needs to have .crt extension for it to be picked up.

And get it to rebuild the directory with your certificate included, run as root:

dpkg-reconfigure ca-certificates

and select the ask option, scroll to your certificate, mark it for inclusion and select ok.

Most browsers use their own CA database, and so tools like certutil have to be used to modify their contents (on Debian that is provided by the libnss3-tools package). For example, with Chrome you run something along the lines of:

certutil -d sql:$HOME/.pki/nssdb -A -t "C,," -n "My Homemade CA" -i /path/to/CA/cert.file

Firefox will allow you to browse to the certificate on disk, recognize it a certificate file and then allow you to import it to Root CA list.

Most other commands such as curl take command line switches you can use to point at your CA,

 curl --cacert  /path/to/CA/cert.file https://...

or drop the SSL validation altogether

 curl --insecure https://...

The rest will need individual investigation if the ca-certificates like trick does not sort it for that particular application.

Solution 2

Non Interactive Approach

For use in a non-interactive context (e.g. a chef recipe) you can use the following sequence.

sudo cp my.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates

Tested and works on debian 5/6 & Ubuntu 14.04.
For more information, see man update-ca-certificates

This method is preferred over @Drav's method, since /usr/share/ is typically reserved for files added by the OS / apt-get.

Solution 3

On Fedora 23, add the .pem or .der file to /etc/pki/ca-trust/source/anchors/ and run sudo update-ca-trust extract.

See man update-ca-trust for details, e.g. whether to use /etc or /usr.

Solution 4

Non Interactive Approach (Oct'18)
for recent debian based systems

There's a distinction between adding a cert to the host's store and activating it so that applications really utilize those. An existing cert in the store isn't necessarily used (although i have to admit that still a lot of packages are getting it wrong anyway)
This can get confusing when you setup a package which considers /etc/ca-certificate.conf and simply refuses to use your cert although it has been added without error. You need to tell update-ca-certificates explicitly to (not just copy but) activate the cert by adding it to /etc/ca-certificate.conf or /etc/ca-certificate/update.d.

CERT=mycert.crt
cp /mypath/to/$CERT /usr/share/ca-certificates/$CERT
    # notice the + sign which tells to activate the cert!!!
echo "+$CERT" >/etc/ca-certificates/update.d/activate_my_cert
dpkg-reconfigure ca-certificates;

Now here it gets confusing as there's a way to implicitly trust a certificate by using a different path:

CERT=mycert.crt
cp /mypath/to/$CERT /usr/local/share/ca-certificates/$CERT
update-ca-certificates;

Solution 5

In centos:

cp *.pem /etc/pki/ca-trust/source/anchors/
update-ca-trust extract

View more solutions

376,362

Naftuli Kay

Updated on September 18, 2022

Comments

Naftuli Kay over 1 year

I've generated a self-signed certificate for my build server and I'd like to globally trust the certificate on my machine, as I created the key myself and I'm sick of seeing warnings.

I'm on Ubuntu 12.04. How can I take the certificate and globally trust it so that browsers (Google Chrome), CLI utilities (wget, curl), and programming languages (Python, Java, etc.) trust the connection to https://example.com without asking questions?
- msw over 10 years
  
  All the TLS should be vectored through OpenSSL, so that's the place to look for documentation. In this case: gagravarr.org/writing/openssl-certs/… looks useful.
Naftuli Kay about 10 years

Also, as noted here, adding CA certificates for Java is likewise a separate matter.
Karthik Bosan over 9 years

After copying the certificate to /usr/share/ca-certificates, I can't see it in the dpkg-reconfigure ca-certificates list. What am I doing wrong?
Hello World over 8 years

@GeorgesDupéron That happened to me to. I resolved it by renaming the cert from whatever.pem to whatever.crt.
ortang over 8 years

It is better to copy the files to /usr/local/share/ca-certificates/ as mentioned in the man pages
KCD over 7 years

FYI the A must be a .crt, I found .cert claimed it was added but did not help
Janac Meena almost 6 years

When I do openssl connect should I be specifying this /anchors folder? I'm still getting an error "self signed certs
qxo almost 6 years

ref manuals.gfi.com/en/kerio/connect/content/server-configuratio‌n/…
Tri Nguyen about 5 years

FYI, I had a cert file named .cer, and that didn't work. I had to rename it to .crt for it to be recognized.
Boris Verkhovskiy over 4 years

I didn't need to install ca-certificates on Ubuntu 19.10.
Yuri over 4 years

The file name has to match /usr/share/ca-certificates/*.crt in order to be picked by the utility.
FKEinternet over 3 years

You've just re-enabled all of the certs that were disabled, e.g., ones from bad actors or expired. That was not clever
psusi about 3 years

dpkg-reconfigure only lists the existing certs under the mozilla subdirectory, not the one I added.
Flimzy over 2 years

For what it's worth, you can now add certs to Chrome via the Settings page, without the need for the certutil tool.