Adding a Certificate Authority to the Trusted List in Ubuntu

Sometimes, working with SSL certificates isn’t all it’s cropped up to be. Heck, most of the time it’s not. It’s painful, time-consuming work.

However, it’s actually not so hard to install a self-signed certificate authority in Ubuntu, using a few commands.

First, install libnss3-tools, which contains the certutil command:

sudo apt-get install libnss3-tools

Next, we’ll copy the public certificate authority file to the certificate store:

sudo cp my_ca.crt /usr/share/ca-certificates/

We’ll now recompile the SSL CA list for Ubuntu, adding our certificate:

sudo dpkg-reconfigure ca-certificates

This will lead to a ncurses menu. In this menu, choose ask, and scroll through the long list of trusted CAs until you find your ‘my_ca.crt’ certificate authority file. Mark it for inclusion with Space, then hit Tab then Enter to finish up.

The last step is to install the certificate into Google Chrome’s registry. (If you’re using Firefox or otherwise, your mileage may vary.) Let’s add it with this command:

certutil -d sql:$HOME/.pki/nssdb -A -t "C,," -n "My Homemade CA" -i my_ca.crt

Great! Now restart Google Chrome and you should now see your sites signed with this CA as being trusted :)