Adding trusted root ca certificates on linux
This guide shows how to add trusted root cas on on debian or ubuntu based linux systems to enable seamless TLS encryption using your internal PKI.
Working with linux in a professional environment may require you to support accessing internal services using secured connections. In most cases connection security is realised using TLS encryption which relies on certificates when establishing a connection.
To be able to easily establish TLS connections without specifying custom CA chains, a solution is to add custom CA certificates as trusted root CA.
This guide shows how to achieve on debian / ubuntu.
Store CA certificates
First step is to copy certificate files to /usr/local/share/ca-certificates
# Copy certificates to location
copy /tmp/foo.crt /usr/local/share/ca-certificates/foo.crt
chmod 644 /usr/local/share/ca-certificates/foo.crt
Certificates required to be stored  using the PEM format.
Alternative paths
There's also a path located at /usr/share/ca-certificates which also works when adding trusted root CAs.
I strongly recommend to store configuration at /usr/local/share as it's the path that is intended for this type of data (https://en.wikipedia.org/wiki/Filesystem_Hierarchy_Standard).
Import CA certificates
Use the following command to import desired certificates.
update-ca-certificates
This will guide you trough a wizard that allows you to select what certificates should be added.
That's all you need to do. Applications that rely on system certificate store (like curl) will now trust certificates that are signed by your internal root CAs.
Adding to docker
The described way above perfectly works when building containers. Use the following commands in your Dockerfile.
ADD foot.crt /usr/local/share/ca-certificates/foo.crt
RUN chmod 644 /usr/local/share/ca-certificates/foo.crt && update-ca-certificates
If you don't want to build a container you'll need to map the certificates using a volume and run update-ca-certificates when starting the container.
Running professional workload requires administrators to ensure that even internal communication is secure. Running services with self-signed or untrusted certificates is no longer acceptible in my opinion. This guide shows how easy it is to add your intenral PKI to linux based systems and establish a reliable trust on internal connections.
All in all an easy step to a better and more secure world :-)