How to add a custom CA Certificate on Debian
2/04/2023
Information
If you're a Debian user, you may sometimes need to install a custom Certificate Authority (CA) certificate on your system. Debian 11 comes with a pre-installed set of CA certificates, but if you need to use a particular service or application that requires a custom or self-signed certificate, you'll need to add it to your system's trusted CA store.
Step 1: Copy the Certificate to the Appropriate Location
Firstly, copy the certificate to the appropriate location on the Debian 11 system. By convention, most CA certificates are stored in the /usr/local/share/ca-certificates/ directory. In this example, let's assume the certificate name is SecurityAppliance_SSL_CA.pem and I already have the certificate contents.
cd /usr/local/share/ca-certificates/
sudo nano SecurityAppliance_SSL_CA.pem
Step 2: Convert the .pem certificate into x509
Skip this step if your certificate is already in x509 format (.crt)
Since Debian only accepts CA certs in x509 format (better known as .crt) we'll need to convert the .pem file to a .crt this can be accomplished with the openssl command.
openssl x509 -inform PEM -in /usr/local/share/ca-certificates/SecurityAppliance_SSL_CA.pem -out SecurityAppliance_SSL_CA.crt
Step 3: Update the System's CA Certificate Store
After copying the certificate, update the system's CA certificate store using the following command:
sudo update-ca-certificates
Extra: Removing your Custom CA Certificate
Removing your custom CA certificate is even simpler, just delete the certificate from the directory /usr/local/share/ca-certificates/ and then ask Debian to update the CA certificate store, but completely this time.
sudo update-ca-certificates --fresh