Adding trusted root certificates to the server


If you want to send or receive messages signed by root authorities and these authorities are not installed on the server, you must add a trusted root certificate manually.

Use the following steps to add or remove trusted root certificates to/from a server.

Mac OS X

Use command:

sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain ~/new-root-certificate.crt

Use command:

sudo security delete-certificate -c “”


Use command:

certutil -addstore -f “ROOT” new-root-certificate.crt

Use command:

certutil -delstore “ROOT” serial-number-hex

Linux (Ubuntu, Debian)

Copy your CA to dir /usr/local/share/ca-certificates/

Use command:

sudo cp foo.crt /usr/local/share/ca-certificates/foo.crt

Update the CA store:

sudo update-ca-certificates

Remove your CA.

Update the CA store:

sudo update-ca-certificates –fresh

Restart Kerio Connect to reload the certificates in the 32-bit versions or Debian 7.

Linux (CentOs 6)

Install the ca-certificates package:

yum install ca-certificates

Enable the dynamic CA configuration feature:

update-ca-trust enable

Add it as a new file to /etc/pki/ca-trust/source/anchors/:

cp foo.crt /etc/pki/ca-trust/source/anchors/

Use command:

update-ca-trust extract

Restart Kerio Connect to reload the certificates in the 32-bit version.

Linux (CentOs 5)

Append your trusted certificate to file /etc/pki/tls/certs/ca-bundle.crt

cat foo.crt >> /etc/pki/tls/certs/ca-bundle.crt

A better method for CentOS 5 would be:

sudo yum install /usr/bin/c_rehash
sudo cp foo.crt /etc/pki/tls/certs/foo.pem
sudo c_rehash

Giving Debian as an example. Install the ca-certificates package:

apt-get install ca-certificates

You then copy the public half of your untrusted CA certificate (the one you use to sign your CSR) into the CA certificate directory (as root):

cp cacert.pem /usr/share/ca-certificates

And get it to rebuild the directory with your certificate included, run as root:

dpkg-reconfigure ca-certificates

and select the ask option, scroll to your certificate, mark it for inclusion and select ok.

Most browsers use their own CA database, and so tools like certutil have to be used to modify their contents (on Debian that is provided by the libnss3-tools package). For example, with Chrome you run something along the lines of:

certutil -d sql:$HOME/.pki/nssdb -A -t "C,," -n "My Homemade CA" -i /path/to/CA/cert.file

Firefox will allow you to browse to the certificate on disk, recognize it a certificate file and then allow you to import it to Root CA list.

Most other commands such as curl take command line switches you can use to point at your CA,

 curl --cacert  /path/to/CA/cert.file https://...

or drop the SSL validation altogether

 curl --insecure https://...

The rest will need individual investigation if the ca-certificates like trick does not sort it for that particular application.