Successfully tested on Ubuntu Server 12.04 LTS 64-bit
SSL/TLS certificates are everywhere. Whether you connect to your online bank account, setup an FTPS server or sign your applications, you use SSL/TLS certificates. All these certificates have been issued by a certification authority (CA) which your operating system must recognize as a trusted third party. This recognition relies on the CA certificate installation.
In the following example, we’ll install the Class 1 Primary Intermediate Server CA certificate from StartCom, a CA particularly known to supply free domain validated certificates (see StartSSL website for more information). As StartCom Root CA certificate is already installed by default in /usr/share/ca-certificates/mozilla, we’ll use the same path for its intermediate CA certficate.
First, download the certificate:
sudo wget https://www.startssl.com/certs/sub.class1.server.ca.pem -O /usr/share/ca-certificates/mozilla/StartCom_Class_1_Primary_Intermediate_Server_CA.crt
Then, add the path to this new certificate (relative to /usr/share/ca-certificates) in /etc/ca-certificates.conf:
mozilla/StartCom_Class_1_Primary_Intermediate_Server_CA.crt
Finally, now that everything is in place, just launch:
sudo update-ca-certificates
to complete the installation. During this process, /etc/ssl/certs folder’s content will be updated to hold the SSL certificates and ca-certificates.crt, a concatenated single-file list of certificates.
That’s all Folks!
For further reading, refer to Ubuntu manuals.
Aug 31, 2014 @ 09:47:37
thanks!. worked perfectly for fixing a CA cert complaint when I was trying to do a add-apt-repository.
yours was the shortest, most concise recipe I found (and all command line).
I also deleted a bad entry in the /etc/ca-certificates.conf that the update-ca-certificates complained about, while I was at it.
thanks again,
-kevin
Aug 31, 2014 @ 10:51:23
Glad it helped!
Just in case, as I found this out recently, note that if you install intermediate CA certificates as described in the post, some applications may complain they cannot verify the whole certification chain. To fix this, the best is to create a StartCom_Class_1_Primary_Intermediate_Server_CA_Chain.crt file instead (if we continue with the same StartSSL example) including both the intermediate CA (first) and root CA (just after) certificates. Installation process to follow is the same as described in the post.
E.
Mar 25, 2016 @ 18:10:08
I believe the correct cert URL is now https://www.startssl.com/certs/class1/sha2/pem/sub.class1.server.sha2.ca.pem
Mar 26, 2016 @ 22:45:03
Yes, you’re right. Seems like they deprecated their old SHA-1 certificates (which is a good thing). I’ll update the post soon. Thank you for alerting me about this.
E.