Trusting Your Root CA (Linux)

Contents

• Debian Systems
• Arch / Garuda
• CentOS / Fedora
• Additional Steps for Chromium Browsers

Debian Systems

This should work for most Debian-based systems, such as Debian, Ubuntu, Mint, PopOS etc.

1. Ensure you have downloaded your Root CA.

2. Open a terminal and run::

   sudo apt update
   sudo apt install -y ca-certificates p11-kit
   

3. Move into the directory where you downloaded your Root CA (usually ~/Downloads), for example:

   cd ~/Downloads
   

4. Add your Root CA to your OS trust store. Be certain to replace adjective-noun with your server's unique hostname in the 3rd and 4th commands:

   sudo mkdir -p /usr/share/ca-certificates/start9
   sudo cp "adjective-noun.crt" /usr/share/ca-certificates/start9/
   sudo bash -c "echo 'start9/adjective-noun.crt' >> /etc/ca-certificates.conf"
   sudo update-ca-certificates
   

   If successful, you will receive 1 added.

5. If using Firefox or Tor Browser, complete this final step.

6. If using a Chromium browser, such as Chrome or Brave, complete this final step.

Arch / Garuda

1. Ensure you have downloaded your Root CA.

2. Move into the directory where you downloaded your Root CA (usually ~/Downloads), for example:

   cd ~/Downloads
   

3. Add your Root CA to your OS trust store. Be certain to replace adjective-noun with your server's unique hostname in the 3rd and 4th commands:

   sudo pacman -S ca-certificates
   sudo cp "adjective-noun.crt" /etc/ca-certificates/trust-source/anchors/
   sudo update-ca-trust
   

   Despite no output from the last command, you can test your app right away.

CentOS / Fedora

1. Ensure you have downloaded your Root CA.

2. In /etc/systemd/resolved.conf, ensure you have MulticastDNS=Yes.

3. Restart systemd-resolved

   sudo systemctl restart systemd-resolved
   

4. Move into the directory where you downloaded your Root CA (usually ~/Downloads), for example:

   cd ~/Downloads
   

5. Add your Root CA to your OS trust store. Be certain to replace adjective-noun with your server's unique hostname in the 3rd and 4th commands:

   sudo yum install ca-certificates
   sudo cp "adjective-noun.crt" /etc/pki/ca-trust/source/anchors/
   sudo update-ca-trust
   

Additional Steps for Chromium Browsers

On Linux, Chromium browsers require extra configuration to trust your Root CA. These instructions should work for Chrome, Brave, Vivaldi and other Chrome-based browsers.

1. In the URL bar, enter chrome://settings/certificates.

2. Click Authorities > Import.

3. Select your adjective-noun.crt file.

4. Check "Trust this certificate for identifying websites".

5. Click OK.