Skip to content

How to add a custom CA Certificate on Debian


:   Alexander


If you're a Debian user, you may sometimes need to install a custom Certificate Authority (CA) certificate on your system. Debian 11 comes with a pre-installed set of CA certificates, but if you need to use a particular service or application that requires a custom or self-signed certificate, you'll need to add it to your system's trusted CA store.

Step 1: Copy the Certificate to the Appropriate Location

Firstly, copy the certificate to the appropriate location on the Debian 11 system. By convention, most CA certificates are stored in the /usr/local/share/ca-certificates/ directory. In this example, let's assume the certificate name is SecurityAppliance_SSL_CA.pem and I already have the certificate contents.

cd /usr/local/share/ca-certificates/
sudo nano SecurityAppliance_SSL_CA.pem

Step 2: Convert the .pem certificate into x509

Skip this step if your certificate is already in x509 format (.crt)

Since Debian only accepts CA certs in x509 format (better known as .crt) we'll need to convert the .pem file to a .crt this can be accomplished with the openssl command.

openssl x509 -inform PEM -in /usr/local/share/ca-certificates/SecurityAppliance_SSL_CA.pem -out SecurityAppliance_SSL_CA.crt

Step 3: Update the System's CA Certificate Store

After copying the certificate, update the system's CA certificate store using the following command:

sudo update-ca-certificates
This command will read the certificates in the /usr/local/share/ca-certificates/ directory and add them to the CA certificate store.

Extra: Removing your Custom CA Certificate

Removing your custom CA certificate is even simpler, just delete the certificate from the directory /usr/local/share/ca-certificates/ and then ask Debian to update the CA certificate store, but completely this time.

sudo update-ca-certificates --fresh