Kyle Pericak

"It works in my environment."

Wed 08 January 2020

Ubuntu: Blindly Trusting the Corporate CA

Posted by Kyle Pericak in systems administration   

Note: This is usually a bad idea. You should really get the team who runs the CA to send you the certificate in case some bad guy is doing the MITM and not the local security team. Use this procedure with caution.

Get the signing certificate

Use openssl to print the certificate data.

openssl s_client -connect -showcerts

In the output you'll see, among other things, some certificates. They look like this:


Find the one signed by your local CA. Copy and paste it into a new file, such as The .crt file extension is required. Don't copy anything before or after the BEGIN and END lines.

Trust the certificate

As root, move the certificate file to /usr/local/share/ca-certificates, then run update-ca-certificates.

mv /usr/local/share/ca-certificates

That's it. Now your system will trust certs signed by that CA too.

Javascript appears to be disabled. Comments can't load.