update-ca-certificates Command on Ubuntu

PKI Tutorials - Herong's Tutorial Examples

∟update-ca-certificates Command on Ubuntu

This section describes how to use the update-ca-certificates Command to manage trusted root CA certificates on Ubuntu computers.

If you are using Ubuntu computers, you should use the update-ca-certificates command to manage trusted root CA certificates.

The update-ca-certificates command uses the following files and directories:

/etc/ca-certificates.conf - A list of root CA certificate files that you want to trust or disable.
/etc/ssl/certs/ca-certificates.crt - A certificate bundle file of all trusted root CA certificates.
/usr/share/ca-certificates - An input directory where root CA certificates are located.
/usr/local/share/ca-certificates An input directory where local self-signed certificates are located.

Add a new trusted root CA certificate - Save the certificate with file extension of .crt and follow these steps:

# copy the root certificate to input directory
herong$ sudo cp new-root-cert.crt /usr/share/ca-certificates/

# add the root certificate to root certificate list as trusted 
herong$ sudo vi /etc/ca-certificates.conf
...
new-root-cert.crt

# update the root certificate bundle file 
sudo update-ca-certificates

Disable an existing root CA certificate - Follow these steps:

# mark root certificate as disabled 
herong$ sudo vi /etc/ca-certificates.conf
...
!old-root-cert.crt

# update the root certificate bundle file 
sudo update-ca-certificates