TL;DR
This guide shows you how to add a root certificate to your system’s trust store so that applications can verify certificates signed by it. This is often needed when using self-signed certificates or certificates from private Certificate Authorities (CAs).
Steps
- Get the Root Certificate: Obtain the root certificate in a suitable format, usually PEM (.pem), DER (.der), or CER (.cer). This file contains the public key of the CA that signed your other certificates.
- Determine Your Operating System: The process varies depending on whether you’re using Windows, macOS, or Linux.
Windows
- Open Certificate Manager: Press the Windows key, type ‘certmgr.msc’, and press Enter.
- Import the Certificate:
- In the left pane, expand ‘Trusted Root Certification Authorities’.
- Right-click on ‘Certificates’ and select ‘All Tasks’ -> ‘Import…’.
- The Certificate Import Wizard will appear. Click ‘Next’.
- Click ‘Browse…’ and locate your root certificate file. Make sure to select the correct file type (usually PEM or DER).
- Click ‘Next’.
- Choose ‘Place all certificates in the following store’ and ensure it is set to ‘Trusted Root Certification Authorities’. Click ‘Next’.
- Click ‘Finish’. You may be prompted for administrator credentials.
- Verify Installation: Check that the certificate appears in the ‘Trusted Root Certification Authorities’ store.
macOS
- Open Keychain Access: Open Finder, go to Applications -> Utilities -> Keychain Access.
- Import the Certificate:
- Drag and drop your root certificate file into the ‘System’ keychain in Keychain Access. Alternatively, File -> Import Items…
- If prompted, enter your administrator password.
- Trust the Certificate:
- Find the imported certificate in the ‘System’ keychain.
- Double-click on the certificate to open its details.
- Expand the ‘Trust’ section.
- Change ‘When using this certificate:’ to ‘Always Trust’. You may need to enter your administrator password again.
- Verify Installation: Check that the certificate shows ‘Always Trust’ in the ‘Trust’ section of its details.
Linux (Debian/Ubuntu)
- Copy the Certificate: Copy your root certificate file to a suitable location, such as
/usr/local/share/ca-certificates/.sudo cp myroot.pem /usr/local/share/ca-certificates/myroot.crt - Update the Certificate Store: Run the following command to update the system’s certificate store:
sudo update-ca-certificates - Verify Installation: Check that the certificate is listed in
/etc/ssl/certs/. You can use this command to list all trusted certificates.ls /etc/ssl/certs/*myroot*
Linux (CentOS/RHEL)
- Copy the Certificate: Copy your root certificate file to a suitable location, such as
/etc/pki/ca-trust/source/anchors/.sudo cp myroot.pem /etc/pki/ca-trust/source/anchors/myroot.crt - Update the Certificate Store: Run the following command to update the system’s certificate store:
sudo update-ca-trust extract - Verify Installation: Check that the certificate is listed in
/etc/pki/tls/certs/. You can use this command to list all trusted certificates.ls /etc/pki/tls/certs/*myroot*
Troubleshooting
- Permissions: Ensure the certificate file has appropriate read permissions.
- File Format: Double-check that you are using a supported file format (PEM, DER, CER).
- Restart Applications: Some applications may require a restart to recognize the new root certificate.