TLS certificates in Linux

2016-01-22 | Martin Hoppenheit | 2 min read

Installing TLS CA root certificates in Linux is actually quite easy. Well, at least if you know where to put the certificate files … Unfortunately, different distributions keep their certificate stores in different places. Here is a short overview on installing root certificates in Debian and Red Hat Enterprise Linux/CentOS. Other distributions based on Debian or RHEL probably handle this similar to one of the two approaces described here.

Consider that the directory and command names below imply that the procedures described there are meant to be used with CA root certificates. Anyway, the same can be done with self signed certificates as well (these are quite similar to CA root certificates). Consider furthermore that some programs (most notably Firefox) have their own certificate stores and ignore the system wide settings! Others need to be explicitly pointed to the certificate store’s file path in their configuration.

Debian

The following is valid at least for Debian 8.

Put the certificate file (with file name extension .crt) into the /usr/local/share/ca-certificates/ directory, then run the update-ca-certificates command to update the symlink list in /etc/ssl/certs/:

# cp certificate.crt /usr/local/share/ca-certificates/
# update-ca-certificates

(There is no need to modify the /etc/ca-certificates.conf file, since the certificates in /usr/local/share/ca-certificates are implicitly trusted. The config file is only relevant concerning the certificates in /usr/share/ca-certificates.)

To remove a certificate, delete the certificate file and run the update-ca-certificates command to remove the respective symlinks in /etc/ssl/certs/:

# rm /usr/local/share/ca-certificates/certificate.crt
# update-ca-certificates -f

RHEL/CentOS

The following is valid at least for CentOS 7.

Put the certificate file (any file name) into the /etc/pki/ca-trust/source/anchors/ directory, then run the update-ca-trust command to update the certificate bundle files in /etc/pki/ca-trust/extracted/:

# cp certificate.crt /etc/pki/ca-trust/source/anchors/
# update-ca-trust extract

To remove a certificate, delete the certificate file an run the update-ca-trust command to update the certificate bundle files in /etc/pki/ca-trust/extracted/:

# rm /etc/pki/ca-trust/source/anchors/certificate.crt
# update-ca-trust extract