Local certificates

From Gentoo Wiki
Jump to:navigation Jump to:search

This article provides instructions to system administrators on managing the certificate cache that is stored for system wide consumption. This is generally managing ca-certificates and self-signed certificates.

System wide certificates

To add a certificate (for example a self-signed certificate or an organization's internal CA certificate) to the system wide list of trusted certificates, place the new certificate in the /usr/local/share/ca-certificates/ directory. Be sure, that certificate name ends with the suffix .crt and not with .pem.

root #mkdir -p /usr/local/share/ca-certificates/
root #cp path/to/my.crt /usr/local/share/ca-certificates/

Ensure users have the necessary read access to the directory/certificates, otherwise users will not be able trust any custom certificates due to read failures. It is also important to ensure untrusted users do NOT have write access!

To add the certificates to /etc/ssl/certs/, either run:

root #update-ca-certificates
Updating certificates in /etc/ssl/certs...
140 added, 0 removed; done.

Alternatively, rebuilding the app-misc/ca-certificates package will also invoke the command:

root #emerge --oneshot app-misc/ca-certificates

This will (re)generate a single-file, concatenated list from all accessible certificates in the /usr/local/share/ca-certificates directory to the /etc/ssl/certs/ca-certificates.crt location.


Chromium (like many other web browsers) do not use the system wide CA certificate list.

When using Chromium-based web browsers (such a Chrome) open chrome://settings/certificates then choose Authorities tab and import the custom CA certificate.

See also

  • Certificates — focuses on many details surrounding certificates on Gentoo Linux.

External resources