---
myst:
  html_meta:
    description: Install enterprise root CA certificates in Ubuntu's trust store to enable secure communication with internal infrastructure.
---

(install-a-root-ca-certificate-in-the-trust-store)=

# Install a root CA certificate in the trust store

Enterprise environments sometimes have a local Certificate Authority (CA) that issues certificates for use within the organization. For an Ubuntu server to be functional, and to trust the hosts in this environment, this CA must be installed in Ubuntu's trust store.

## Certificate formats

There are two encoding formats for certificates:

- **Privacy Enhanced Mail (PEM)**: These are human-readable and in Base64-encoded **ASCII** format.
- **Distinguished Encoding Rules** ({term}`DER`): These are encoded in a more compact **binary** format, and not human readable.

To install a certificate in the trust store it must be in PEM format. A PEM certificate starts with the line `----BEGIN CERTIFICATE----`. If you see this, you're ready to install. If not, it is probably a DER certificate and needs to be converted before you can install it in the trust store.

## Install a PEM-format certificate

Assuming your PEM-formatted root CA certificate is in `local-ca.crt`, run the following commands to install it:

- Generate a random certificate

Answer the questions asked after executing the command. When asked to input a `commonName` (`CN`), it should match the hostname of the server.

```bash
openssl req -x509 -new -nodes -keyout local-ca.key -out local-ca.crt
```

- Install the CA certificate package

```bash
sudo apt-get install -y ca-certificates
```

- Copy your certificate to the local CA certificates directory

```bash
sudo cp local-ca.crt /usr/local/share/ca-certificates
```

- Add the certificate to your trust store

```bash
sudo update-ca-certificates
```

- Verify that your certificate is in PEM format

```bash
$ sudo ls /etc/ssl/certs/ | grep local-ca

local-ca.pem
```

- You can also verify that your certificate is available in the trust store by selecting a few texts from your certificate and comparing them with the certificate at the end of the trust store file to see if it matches yours.

```bash
$ sudo cat local-ca.crt

...
L4zOd3b41xJtYldofPve
-----END CERTIFICATE-----

$ sudo cat /etc/ssl/certs/ca-certificates.crt | grep L4zOd3b41xJtYldofPve

L4zOd3b41xJtYldofPve
```

```{note}
It is important that the certificate file has the `.crt` extension, otherwise it will not be processed.
```

After this point, you can use tools like `curl` and `wget` to connect to local sites.

```{note}
This procedure updates the system trust store and affects applications that rely on the host system’s OpenSSL configuration, such as `curl` and `wget`.

Snap applications, including snap-packaged browsers, are unlikely to automatically trust certificates installed in the system trust store due to snap confinement.
```

## Uninstall a PEM-format certificate

- Verify that the certificate you'd like to uninstall exists.

```bash
$ sudo ls /usr/local/share/ca-certificates/local-ca.crt

/usr/local/share/ca-certificates/local-ca.crt
```

- Delete the certificate

```bash
sudo rm /usr/local/share/ca-certificates/local-ca.crt
```

- The certificate still exists in the trust store.

```bash
$ sudo cat /etc/ssl/certs/ca-certificates.crt | grep L4zOd3b41xJtYldofPve

L4zOd3b41xJtYldofPve
```

- Update the trust store

```bash
$ sudo update-ca-certificates --fresh
```

- Verify that the certificate has been uninstalled

```bash
$ sudo cat /etc/ssl/certs/ca-certificates.crt | grep L4zOd3b41xJtYldofPve
```

## Convert from DER to PEM format

You can convert a DER-formatted certificate called `local-ca.der` to PEM form like this:

```bash
sudo openssl x509 -inform der -outform pem -in local-ca.der -out local-ca.crt`
```

## The CA trust store location

The CA trust store (as generated by `update-ca-certificates`) is available at the following locations:

- As a single file (PEM bundle) in `/etc/ssl/certs/ca-certificates.crt`
- As an OpenSSL-compatible certificate directory in `/etc/ssl/certs`