linux, ssl

Add Root CA Trust to Linux

EDIT: This page consistently receives the highest hits on my blog. Please consider using my Amazon affiliate link which tosses some change my way if you make a purchase after using it. Thanks for considering it!!


If you are using linux behind a company proxy/firewall odds are you have issues with accessing ssl resources (i.e. https). The company likely has their own Certificate Authority (CA) that issues private certificates. These certificates are not issued from ‘trusted’ authorities (i.e. verisign et al) and therefore the browser does not ‘trust’ them and will respond with a message like this

In this post I’ll show you how to add your Root CA to the linux certificate store, as well as firefox and chrome.

The Truth

The ‘funny’ thing about corporate proxies is they are essentially man-in-the-middle attacks. I’m not a networking professional, but as I understand things the corporate proxy is decrypting your traffic and then re-encrypting with the private cert on the way in. Since your browser trusts the company root CA it doesn’t question the validity of this. Hence, the company gets access to all your ‘encrypted’ traffic to ensure you aren’t sending anything they don’t want you to send (i.e. company IP etc).

Not judging here, just giving information.

Identify the Certificate of Interest

In order to know what cert to add, we have to first locate the cert that is being used at the proxy. To be safe, if you open a browser and look at the certificates you can just export them ALL and then import them all and that will surely catch the cert of interest …. that said this is how you can inspect things

$ openssl s_client -connect

verify error:num=20:unable to get local issuer certificate
verify return:0
Certificate Chain
0 ....


In the above example where i have HERE is where my cert was that I needed to add to the linux CA store – YMMV but generally the above will show you what cert is being used at the proxy.

Export the cert(s)

Now that we know the cert (or just want to grab them all) you can export the certs. I used IE in my example but you could export from any browser that has Root CA trust… in IE go to

Internet Explorer->Internet Options->Content->Certificates

Export each cert in X.509 DER format and save to disk.

Import the certs for command line

Copy each cert to your linux machine to the /tmp folder and then run the following to convert and stage and load into ca certificate store

$ sudo openssl x509 -in /tmp/<yourcert>.cer -inform DER -out /tmp/<yourcert>.crt

$ sudo cp /tmp/*.crt /usr/local/share/ca-certificates/
$ sudo update-ca-certificates
Updating certificates in /etc/ssl/certs...

N added, 0 remove; done.
Running hooks in /etc/ca-certificates/update.d....
Adding debian:

You will see SOMETHING like the above although I’m obviously trying to keep this generic but you should see a positive number for N added.

At this point linux commandline tools should be aware of the cert and able to now trust the root CA

$ curl
html shown

That’s it! Command-line is done.

Import the certs for Firefox

For firefox, you can use the .crt files generated above. Go to

Firefox->Preferences->Advanced->Certificates->View Certificates->Import

Import each .crt file in /tmp and approve for websites

That’s it! Firefox is done.

Import the certs for Chrome

Unfortunately chrome is different and we need to export the certs differently. In chrome you can export ALL the certificates at once using PKCS #12 (.PFX).

In IE, highlight all the certificates you want to export using the cntrl or shift keys to select multiple entries.

Select a password for these certs, we’ll go with “blah” for our example. Move the resulting .pfx file to your linux machine in /tmp

Now import into Chrome via Settings->Show Advanced Settings->Manage Certificates->Import. Choose the .pfx from from /tmp/<yourcert>.pfx and enter the password you used (in our case, “blah”).

That’s it! Chrome is finished.


Hopefully the above helped you out. I owe a special thanks to madvikinggod from the coding blocks podcast slack channel who gave me some of the openssl commands to inspect what certificate I needed, it was invaluable in moving me forward.

If you had any issues (or if it worked!), let me know in the comments.

Good luck!