In this post, I will walk you through the process of installing root certificates on SUSE Linux and Ubuntu. From placing the certificate in the appropriate directory to finally updating the trusted certificate store.

Whether you’re adding a corporate certificate or a third-party CA, these steps are straightforward and essential for maintaining a reliable Linux environment.


Table Of Contents
  1. Install Root Certificates
  2. Deinstall Root Certificates
  3. Install Root Certificates on Chrome running on Linux
  4. Links


Install Root Certificates

To install root certificates in SUSE Linux Enterprise Server, we first need to copy them into the /etc/pki/trust/anchors/ folder.

The same also for intermediate certificates issued by a so called Subordinate CA.


The certificates needs to be in PEM format and the file extension like .pem, .cert or something different SUSE doesn’t really care about and finally accept all.

For Ubuntu these certificates also needs to be in PEM format but here they need the file extension to be .crt and must be copied to a different path /usr/local/share/ca-certificates.


Now we need to run the following command, this command also works for Ubuntu.

update-ca-certificates is a program that updates the directory /etc/ssl/certs to hold SSL certificates and generates ca-certificates.crt, a concatenated single-file list of certificates.

Source: https://manpages.ubuntu.com/manpages/xenial/man8/update-ca-certificates.8.html

# sudo update-ca-certificates


Below we can check if the certificate was installed successfully in /etc/ssl/certs, also the same in Ubuntu.

# ls /etc/ssl/certs | grep MATRIX


Finally we can also check if the root certificate was installed successfully by using the curl command to connect to a web server and web site which is using a certificate issued by the CA we installed its root certificate.

Looks good!

# curl --verbose https://matrix-ca-1.matrixpost-lab.net/





Deinstall Root Certificates

To uninstall our previously installed root certificates, we just need to remove them in /etc/pki/trust/anchors and finally run the sudo update-ca-certificates command again.


We can check if the root certificate was removed successfully by listing all certificates in /etc/ssl/certs and filter for the name.

Looks good and doesn’t find it anymore.


Finally we can also check if the root certificate was removed successfully by using the curl command again.





Install Root Certificates on Chrome running on Linux

For Linux, Chrome uses its own certificate store. You can import your Root CA’s in Chrome directly.


In Chrome open Settings -> Privacy and security -> Security -> Manage certificates -> Authorities



Click on Import and select the desired root certificates.


Select which Trust settings you want to allow for the CA.



Looks good!



About how to set up your own PKI you can also read my following post.

Set up a 2-tier PKI in Active Directory Certificate Services (AD CS) – Part 1






Links

update-ca-certificates
https://manpages.ubuntu.com/manpages/xenial/man8/update-ca-certificates.8.html