Trust Certificates in Linux


If you need to trust internal certificate authorities in Linux for the system and not the browsers, as I always use a shell to do my commands then first you need to export the certificates as a Base64 format and the extension needs to be "crt" - you need this if you cannot commutate with usually an internal server due to your custom CA internally, to check this perform a "curl" command to the web server in question as below:

┌──(mooney㉿bearnose)-[~/sslscan]

└─$ curl https://bearclaws.bear.local
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

This error indicates that your Linux box does not trust your internal CA certificates which is done automatically by Windows when in a domain, specially when the CA is internal and not external.

Export the files from Windows, which is what I used for this instance and they were exported as Base64 as below:




If you already have them exported in DER format  (the Windows default) not an issue you can use this command:

openssl x509 -in <cert-as-der.crl> -inform der -out <out-as-base64.crt>

Once they are exported, you need to copy them to the Linux server, to ensure you have the correct format if you view them the line should begin with "Begin Certificate" as below:


Once you have then all copied over - I have 3 for this example then run the command below to enter the elevated command session:

su -

Then you need to nafivate to the directory where you copied the files to the servers so for me that was:

/home/mooney/monitoror

That should look like this:


If you list the files in the directory you should see the files you have copied over as below:


Then you need to issue the command:

cp <name of crl> /user/local/share/ca-certificates


Once copied to the correct location, you then need to run this command to import them:

update-ca-certificates -v


This will then import the certificate like this:


This will at the bottom confirm you have imported 3 x certificates which is correct.

Now the curl and the application will work as expected as you not trust6 the internal CA based certificate.

Previous Post Next Post

Ω†Ω…ΩˆΨ°Ψ¬ Ψ§Ω„Ψ§ΨͺΨ΅Ψ§Ω„