How to import CA root certificates on Linux and Windows

In most cases running an own CA (certification authority) is not advisable. But there are exceptions: If you want to secure internal services of your company, using your own CA might be necessary. During my employment at ADITO Software GmbH I created a tool for X.509 certificate management. The root certificate of my tool had to be imported into every PC of the company. Unfortunately there are some pitfalls which I did not expect, but after some research I figured out how to import the new CA to Linux- and Windows PCs and to every major webbrowser.

In the following text root.cert.pem is the root certificate file.


System (Debian / Ubuntu)

Installing the root certificate on a Linux PC is straight forward:

sudo mkdir /usr/local/share/ca-certificates/extra
sudo cp root.cert.pem /usr/local/share/ca-certificates/extra/root.cert.crt
sudo update-ca-certificates

After these steps the new CA is known by system utilities like curl and get. Unfortunately, this does not affect most web browsers like Mozilla Firefox or Google Chrome.

System (Fedora)

Setup on Fedora Linux is a bit different:

sudo cp root.cert.pem /etc/pki/ca-trust/source/anchors/
sudo update-ca-trust

Browser (Firefox, Chromium, …)

Manual setup of your certificate is also possible via GUI, e.g. in Firefox: “Settings” => “Privacy and Security” => “Show certificates” => “Certificate authorities” => “Import” (Similar in Chromium)

Web browsers like Firefox, Chromium, Google Chrome, Vivaldi and even e-mail clients like Mozilla Thunderbird don’t make use of the OS trust store, but use their own certificate trust store. These trust stores are files in the user directory, named “cert8.db” and “cert9.db” (for newer versions). You can modify the trust store files by using the “certutil” tool. To install certutil, execute the following apt command:

sudo apt install libnss3-tools

This little helper script finds trust store databases and imports the new root certificate into them.


### Script installs root.cert.pem to certificate trust store of applications using NSS
### (e.g. Firefox, Thunderbird, Chromium)
### Mozilla uses cert8, Chromium and Chrome use cert9

### Requirement: apt install libnss3-tools

### CA file to install (CUSTOMIZE!)

certname="My Root CA"

### For cert8 (legacy - DBM)

for certDB in $(find ~/ -name "cert8.db")
    certdir=$(dirname ${certDB});
    certutil -A -n "${certname}" -t "TCu,Cu,Tu" -i ${certfile} -d dbm:${certdir}

### For cert9 (SQL)

for certDB in $(find ~/ -name "cert9.db")
    certdir=$(dirname ${certDB});
    certutil -A -n "${certname}" -t "TCu,Cu,Tu" -i ${certfile} -d sql:${certdir}

After execution of this script your root CA should be known to Firefox, Chrome, Chromium, Vivaldy and other browsers.



New root certificates can easily be imported into Windows via Active Directory. However, if you do not have Active Directory enabled on your Windows machines, this is how you manually import your certificate:

Change your certificate’s file name extension from .pem to .crt and open the file. Then select “Install certificate” => “Local machine” and browse the certificate store. Your certificate should be installed into “Trusted Root Certification Authorities”.

On Windows most webbrowsers and other applications use the OS trust store, so Google Chrome and Vivaldi should accept your certificates instantly. However, Firefox needs special treatment ..

Mozilla Firefox

Like on Linux platforms, Firefox uses its own certificate trust store. You can manually import your root certificate via the Firefox settings, or force Firefox to use the Windows trust store:

Create a new Javascript file firefox-windows-truststore.js at C:\Program Files (x86)\Mozilla Firefox\defaults\pref with the following content:

/* Enable experimental Windows trust store support */
pref("security.enterprise_roots.enabled", true);

Firefox should know your CA after a browser restart.