Image: Jack Wallen

If you’re a web, network, or security admin, chances are good that you’ve had to (or will have to) deal with Certificate Authority (CA) Certificates. For those that are charged with the management of CA certificates, you know how much of a hassle it can be. Hopefully, we can put your mind (and nerves) at ease. How? Because managing these certificates on Ubuntu Server doesn’t have to be all that challenging.

Let’s make this easy.

I’m going to demonstrate how to install a root CA certificates on Ubuntu Server 18.04. For those that are unsure, a root certificate is one that has been signed by a trusted Certificate Authority (such as those purchased from the likes of Globalsign).

SEE: Windows 10 security: A guide for business leaders (Tech Pro Research)

Why you need this

You might have applications or services, installed on Ubuntu server, that depend upon authorized SSL connections to properly function. Applications like Apache depend upon CAs, in order to serve up HTTPS connections. Once you have the CA in place (and recognized), you can then configure those apps and services to make use of the certificate files.

What you need

To make this work, you need the following:

  • Running instance of Ubuntu Server 18.04.
  • Root CA, purchased from a trusted CA.
  • User account with sudo privileges.

With those items at the ready, it’s time to install.


The first thing to do is install the ca-certificates package, a tool which allows SSL-based applications to check for the authenticity of SSL connections. To install this piece of software, open a terminal window and issue the command:

sudo apt-get install ca-certificates -y

Copying files

Next we need to copy that purchased .cer or .crt file into the proper location. With that certificate file on the Ubuntu server, copy it to the necessary directory with the command:

sudo cp CERTIFICATE.crt /usr/local/share/ca-certificates

Where CERTIFICATE is the name of the CA file to be copied.

Converting from PEM

If your certificate is a PEM file, it must first be converted to the .crt format. To do this you must use the openssl command like so:

openssl x509 -outform der -in CERTIFICATE.pem -out CERTIFICATE.crt

Where CERTIFICATE is the name of your certificate file.

Once you have the PEM file converted to .crt, you can then copy the file to the required directory (as shown above).

Update your certificate

The last step is to update your certificates. With a single command you can update the certificates and generate the ca-certificates.crt file (which is a concatenated list of all installed certificates). The command to run is:

sudo update-ca-certificates

And that’s all there is to it. You now have a working CA certificate file, in the proper location, so that SSL applications can make use of those CAs.

No more pulling out your hair, because your CAs aren’t being recognized.

Editor’s note: The command for copying files was corrected.