Skip to content

Accept private ca certificate

If you want your server to accept custom certificates, you can follow the below steps. There are two scenarios: 1. You have a self-signed certificate
2. You have a certificate which signed by a CA, but the CA is not recognized by the server by default.

For scenario 1, you just copy the self-signed certificate. For scenario 2, you should copy the root CA certificate, so all the certificate signed by this CA will be accepted in the future.

1. Convert certificate to accepted format

Debian only accepts certificate of format .crt or .pem. If your certificate is in other formats, you need to convert them into the accepted format

# convert der to crt
openssl x509 \
       -inform der -in domain.der \
       -out domain.crt

# convert pcks7 to crt
openssl pkcs7 \
       -in domain.p7b \
       -print_certs -out domain.crt

# convert pkcs12 to crt
openssl pkcs12 \
       -in domain.pfx \
       -nodes -out domain.combined.crt

Certain certificate format contains also the private key, so pay attention on the output file, don't leak the private key.

2. Add certificate as trusted

# to keep track off the custom ca we create a sub-folder
sudo mkdir /usr/local/share/ca-certificates/casd-ca

# copy the certificate
sudo cp your-ca.crt /usr/local/share/ca-certificates/casd-ca/.

# ask debian to load the new certificate
sudo update-ca-certificates

# test it with a site which uses the certificate or signed by the certificate
curl https://target-url