importing root CA certificate in linux

by leosenko   Last Updated February 18, 2018 01:02 AM

Maybe this is a duplicate, but i cannot find the answer. Windows CA authorities provide their root certificates in several forms: The certificate by itself and full chain, each can be downloaded in 2 formats: DER and BASE64. There are tens of articles about certificate formats on the internet but none about what format do I need when I want to import the CA into linux store using update-ca-certificates.

The issue is so complicated because not only that there are multiple formats, there are also multiple extensions. In the common case they would be p7b, pem, pfx, cer and crt and who knows what else. I don't give a damn about understanding all the various "my toy, your toy" psychology of evolution of these formats or their intricacies.

Can someone simply state:

  1. What format of CA certificate does update-ca-certificates requires?
  2. What extension does update-ca-certificates requires?
  3. Which format from Windows CA should I use: DER or Base64 for to get the certificate and how to convert it to the format understood by update-ca-certificates?
  4. Should I download the whole chain or just the root CA certificate?

Answers 1

format = Pem file

To convert use :

openssl x509 -inform DER -in yourdownloaded.crt -out outcert.pem -text


sudo mkdir /usr/local/share/ca-certificates/extra
sudo cp root.cert.pem /usr/local/share/ca-
sudo update-ca-certificates
February 18, 2018 00:12 AM

Related Questions

How to installed Debian 8.8 uEFI

Updated June 05, 2017 21:02 PM

Freezed cursor on Lenovo B50-30 during Debian install

Updated October 13, 2017 17:02 PM

How to resolve 'held broken packages' (python)?

Updated February 09, 2019 06:02 AM