Trusting Embassy CA on Linux

Here we will insert your Embassy’s CA certificate into Linux’s trust store to ensure that applications will trust your Embassy’s services.

These instructions should work for Debian, Ubuntu, or any Debian or Ubuntu-based Linux, such as Linux Mint, PopOS, etc.

Perform the following commands in the Terminal:

sudo apt install -y ca-certificates p11-kit


For each Mozilla-based application you plan on using, in order for them to trust your Embassy’s CA certificate directly from your Linux distribution’s certificate trust store, execute the following command(s):

If you use Firefox:

libnssckbiso=/usr/lib/firefox/ && sudo mv $libnssckbiso $libnssckbiso.bak && sudo ln -s /usr/lib/x86_64-linux-gnu/pkcs11/ $libnssckbiso

If you use Firefox ESR:

libnssckbiso=/usr/lib/firefox-esr/ && sudo mv $libnssckbiso $libnssckbiso.bak && sudo ln -s /usr/lib/x86_64-linux-gnu/pkcs11/ $libnssckbiso

If you use Librewolf:

libnssckbiso=/usr/share/librewolf/ && sudo mv $libnssckbiso $libnssckbiso.bak && sudo ln -s /usr/lib/x86_64-linux-gnu/pkcs11/ $libnssckbiso

If you use Thunderbird (Useful for LAN access to NextCloud’s calendar/contacts):

libnssckbiso=/usr/lib/thunderbird/ && sudo mv $libnssckbiso $libnssckbiso.bak && sudo ln -s /usr/lib/x86_64-linux-gnu/pkcs11/ $libnssckbiso

If you performed any of the commands above, now we need to move the the mozilla apps’ old trust store out of the way so the next time it starts it will use the system trust store:

mv ~/.pki ~/.pki.mozilla-old

Finally, we will change directory to the folder where you downloaded your Embassy’s Root CA (usually ~/Downloads), and run the following commands to add your Embassy’s CA certificate to the OS trust store:

cd ~/Downloads
sudo cp "Embassy Local CA.crt" /usr/local/share/ca-certificates/
sudo update-ca-certificates

In the output it should say 1 added if it was successful.