You've successfully subscribed to Nuvotex Blog
Great! Next, complete checkout for full access to Nuvotex Blog
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info is updated.
Billing info update failed.

Adding trusted root ca certificates on linux

This guide shows how to add trusted root cas on on debian or ubuntu based linux systems to enable seamless TLS encryption using your internal PKI.

Daniel Nachtrub
Daniel Nachtrub

Working with linux in a professional environment may require you to support accessing internal services using secured connections. In most cases connection security is realised using TLS encryption which relies on certificates when establishing a connection.

To be able to easily establish TLS connections without specifying custom CA chains, a solution is to add custom CA certificates as trusted root CA.

This guide shows how to achieve on debian / ubuntu.

Store CA certificates

First step is to copy certificate files to /usr/local/share/ca-certificates

# Copy certificates to location
copy /tmp/foo.crt /usr/local/share/ca-certificates/foo.crt
chmod 644 /usr/local/share/ca-certificates/foo.crt

Certificates required to be stored  using the PEM format.

Alternative paths

There's also a path located at /usr/share/ca-certificates which also works when adding trusted root CAs.

I strongly recommend to store configuration at /usr/local/share as it's the path that is intended for this type of data (

Import CA certificates

Use the following command to import desired certificates.


This will guide you trough a wizard that allows you to select what certificates should be added.

That's all you need to do. Applications that rely on system certificate store (like curl) will now trust certificates that are signed by your internal root CAs.

Adding to docker

The described way above perfectly works when building containers. Use the following commands in your Dockerfile.

ADD foot.crt /usr/local/share/ca-certificates/foo.crt
RUN chmod 644 /usr/local/share/ca-certificates/foo.crt && update-ca-certificates

If you don't want to build a container you'll need to map the certificates using a volume and run update-ca-certificates when starting the container.

Running professional workload requires administrators to ensure that even internal communication is secure. Running services with self-signed or untrusted certificates is no longer acceptible in my opinion. This guide shows how easy it is to add your intenral PKI to linux based systems and establish a reliable trust on internal connections.

All in all an easy step to a better and more secure world :-)

Daniel Nachtrub

Kind of likes computers. Linux foundation certified: LFCS / CKA / CKAD / CKS. Microsoft certified: Cybersecurity Architect Expert & Azure Solutions Architect Expert.