Install personal CA

  • by

I needed to install a personal CA certificate on my Linux Mint computer, which I did like this:

mkdir /usr/share/ca-certificates/extra/
sudo cp Fortinet_CA_SSL.crt /usr/share/ca-certificates/extra/
sudo dpkg-reconfigure ca-certificates

After the last command, you need to select your CA. Afterwards the CA is trusted for command line tools like curl and get, but browsers like Chrome still dont trust the CA.

For this to work, we need to execute a few further steps, beginning with installing the “certutil” tool:

sudo apt install libnss3-tools

Afterwards we need to find all “cert9.db” files:

sij@mint20:~$ find ~/ -name "cert9.db"
/home/sij/.pki/nssdb/cert9.db
/home/sij/.mozilla/firefox/2h7izx7h.default-release/cert9.db

This file need to be extended with our certificate:

certutil -A -n FortiGate -t TCu,Cu,Tu -i /usr/share/ca-certificates/extra/Fortinet_CA_SSL.crt -d sql:/home/sij/.pki/nssdb
certutil -A -n FortiGate -t TCu,Cu,Tu -i /usr/share/ca-certificates/extra/Fortinet_CA_SSL.crt -d sql:/home/sij/.mozilla/firefox/2h7izx7h.default-release
Source

All credits to https://thomas-leister.de/en/how-to-import-ca-root-certificate/, where I found the solution for my problem. He even provides a small script, which adds the certificate to the “cert9.db” files.