trust-opsys
Tuesday 1 April 2025

Eigene Root-CA in Betriebssystemen verankern

On SUSE

  • Copy the CA certificate (My-CA.pem) or (My-CA.crt) to /etc/pki/trust/anchors/
  • Now run:
1sudo update-ca-certificates

Refer to documentation here and here. See also Blog post.

On Fedora

  • Copy the CA certificate (My-CA.pem) to /etc/pki/ca-trust/source/anchors/ or /usr/share/pki/ca-trust-source/anchors/
  • Now run:
1sudo update-ca-trust

Refer to documentation here. See also Blog post.

On Debian & Derivatives

  • Copy the CA certificate (My-CA.pem) or (My-CA.pem) into /usr/local/share/ca-certificates/.
  • Update the Cert Store with:
1sudo update-ca-certificates

Refer to documentation here and here.

On Arch

System-wide – Arch(p11-kit)
(From arch wiki)

  • Run (as root)
1trust anchor --store My-CA.crt
  • The certificate will be written to /etc/ca-certificates/trust-source/My-CA.p11-kit and the “legacy” directories automatically updated.
  • If you get “no configured writable location” or a similar error, import the CA manually:
  • Copy the certificate to the /etc/ca-certificates/trust-source/anchors/ directory.
  • and then
1sudo update-ca-trust

wiki page here

See also:

On Windows

Assuming the path to your generated CA certificate as C:\My-CA.pem, run:

1Import-Certificate -FilePath "C:\My-CA.pem" -CertStoreLocation Cert:\LocalMachine\Root
  • Set -CertStoreLocation to Cert:\CurrentUser\Root in case you want to trust certificates only for the logged in user.

OR

In Command Prompt, run:

1certutil.exe -addstore root C:\My-CA.pem
  • certutil.exe is a built-in tool (classic System32 one) and adds a system-wide trust anchor.

Siehe auch “Step 4 – Import root certificate to users devices” im Kapitel “openssl” bzw. den “Step 5” im Kapitel “cfssl” in einer anderen Fundstelle.

For Windows:

1mmc
  • Click Open
  • Go to File > Add/Remove Snap-in
  • Click Certificates and Add
  • Select Computer Account and click Next
  • Select Local Computer then click Finish
  • Click OK to go back to the MMC window
  • Double-click Certificates (local computer) to expand the view
  • Select Trusted Root Certification Authorities, right-click on Certificates, and select “All Tasks” then “Import”
  • Click Next then Browse. Change the certificate extension dropdown next to the filename field to “All Files (.)” and locate the “your-root-cert-name.pem” file, click “Open”, then “Next”
  • Select “Place all certificates in the following store”. “Trusted Root Certification Authorities store” is the default. Click “Next” then click “Finish” to complete the wizard
  • To verify, see your imported root certificate if it’s listed in the list of root certificates

Auch im “Proxmox”-Wiki gibt es einen Artikel zum Hinzufügen von Zertifikaten zum Windows Trust-Store.

On macOS

Assuming the path to your generated CA certificate is ~/My-CA.pem, run (as root):

1security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain ~/My-CA.pem

A dialog box will appear asking for an administrator’s username and password. Enter it, and it will be stored in the system keychain. This can be verified by opening the Keychain Access application (/Applications/Utilities/Keychain Access.app). On the sidebar under System Keychains select System, and the new certificate should be listed.

Siehe auch “Step 4 – Import root certificate to users devices” im Kapitel “openssl” bzw. den “Step 5” im Kapitel “cfssl” in einer anderen Fundstelle.

For MAC OS:

  • Open up Keychain Access by searching it on Spotlight (clicking the Magnifying glass located on the upper right corner)
  • Select File > Import Items. Find the generated root certificate. Select System as “Destination Keychain”
  • Enter password when prompted
  • Logoff to take effect

Auch im “Proxmox”-Wiki gibt es einen Artikel zum Hinzufügen von Zertifikaten zum Trust-Store von macOS.

Eigene Root-CA in mobilen Geräten verankern

On Android

The exact steps vary device-to-device, but here is a generalised guide:

  1. Open Phone Settings
  2. Locate Encryption and Credentials section. It is generally found under Settings > Security > Encryption and Credentials
  3. Choose Install a certificate
  4. Choose CA Certificate
  5. Locate the certificate file My-CA.pem on your SD Card/Internal Storage using the file manager.
  6. Select to load it.
  7. Done!
  • “Importing SSL Certificate on Android or iPhone” TitanHq

On iOS

Apple makes this far more difficult than it should be:

  1. Send My-CA.pem to the iOS device through iCloud, AirDrop, or a direct download from your server.
  2. After downloading a dialog will appear on screen telling you that the profile has been downloaded.
  3. Open the Settings app, and a Profile Downloaded item will be at the top. If it is not there, you may find it in General → VPN & Device Management.
  4. Click Install.
  5. The device will ask for your passcode. Enter it.
  6. The device will then warn you about the certificate. Click Install again.
  7. And, as if clicking Install twice wasn’t enough, a confirmation button will appear at the bottom of the screen. Click Install one last time.
  8. Done!
  • “Importing SSL Certificate on Android or iPhone” TitanHq