How to add a custom CA Certificate on Debian
2/04/2023
Information
If you're a Debian user, you may sometimes need to install a custom Certificate Authority (CA) certificate on your system. Debian 11 comes with a pre-installed set of CA certificates, but if you need to use a particular service or application that requires a custom or self-signed certificate, you'll need to add it to your system's trusted CA store.
Step 1: Copy the Certificate to the Appropriate Location
Firstly, copy the certificate to the appropriate location on the Debian 11 system. By convention, most CA certificates are stored in the /usr/local/share/ca-certificates/
directory. In this example, let's assume the certificate name is SecurityAppliance_SSL_CA.pem
and I already have the certificate contents.
cd /usr/local/share/ca-certificates/
sudo nano SecurityAppliance_SSL_CA.pem
Step 2: Convert the .pem certificate into x509
Skip this step if your certificate is already in x509 format (.crt
)
Since Debian only accepts CA certs in x509 format (better known as .crt) we'll need to convert the .pem
file to a .crt
this can be accomplished with the openssl
command.
openssl x509 -inform PEM -in /usr/local/share/ca-certificates/SecurityAppliance_SSL_CA.pem -out SecurityAppliance_SSL_CA.crt
Step 3: Update the System's CA Certificate Store
After copying the certificate, update the system's CA certificate store using the following command:
sudo update-ca-certificates
Extra: Removing your Custom CA Certificate
Removing your custom CA certificate is even simpler, just delete the certificate from the directory /usr/local/share/ca-certificates/
and then ask Debian to update the CA certificate store, but completely this time.
sudo update-ca-certificates --fresh