(install-a-root-ca-certificate-in-the-trust-store)=
# Install a root CA certificate in the trust store


Enterprise environments sometimes have a local Certificate Authority (CA) that issues certificates for use within the organisation. For an Ubuntu server to be functional, and to trust the hosts in this environment, this CA must be installed in Ubuntu's trust store.

## Certificate formats

There are two encoding formats for certificates:

* **Privacy Enhanced Mail (PEM)**: These are human-readable and in Base64-encoded **ASCII** format.
* **Distinguished Encoding Rules (DER)**: These are encoded in a more compact **binary** format, and not human readable.

To install a certificate in the trust store it must be in PEM format. A PEM certificate starts with the line `----BEGIN CERTIFICATE----`. If you see this, you're ready to install. If not, it is probably a DER certificate and needs to be converted before you can install it in the trust store.

## Install a PEM-format certificate

Assuming your PEM-formatted root CA certificate is in `local-ca.crt`, run the following commands to install it:

```bash
sudo apt-get install -y ca-certificates
sudo cp local-ca.crt /usr/local/share/ca-certificates
sudo update-ca-certificates
```

> **Note:**
> It is important that the certificate file has the `.crt` extension, otherwise it will not be processed.

After this point you can use tools like `curl` and `wget` to connect to local sites.

## Convert from DER to PEM format

You can convert a DER-formatted certificate called `local-ca.der` to PEM form like this: 

```bash
sudo openssl x509 -inform der -outform pem -in local-ca.der -out local-ca.crt`
```

## The CA trust store location

The CA trust store (as generated by `update-ca-certificates`) is available at the following locations:

* As a single file (PEM bundle) in `/etc/ssl/certs/ca-certificates.crt`
* As an OpenSSL-compatible certificate directory in `/etc/ssl/certs`