PKI Certificate Tutorials - Herong's Tutorial Examples - v1.13, by Herong Yang
"update-ca-certificates" to Add CA Certificate
This section provides a tutorial example on how to use the update-ca-certificates Command to add a new root CA certificate to the trust store on Linux systems.
If you want to add a new root CA certificate to the ca-certificates trust store, you can use the "update-ca-certificates" command (it's actually a shell script). Here are the steps you should follow:
1. Add the new root CA certificate file to the input directory. The certificate file should be in PEM format and with .crt extension.
herong$ sudo cp ZZ-Root-CA.crt /usr/share/ca-certificates/
2. Add the new root CA certificate in the ca-certificates configuration /etc/ca-certificates.conf:
herong$ sudo vi /etc/ca-certificates.conf ... mozilla/UCA_Global_G2_Root.crt mozilla/vTrus_ECC_Root_CA.crt mozilla/vTrus_Root_CA.crt ZZ-Root-CA.crt
3. Run "update-ca-certificates" command to update the ca-certificates trust store:
herong$ sudo update-ca-certificates Updating certificates in /etc/ssl/certs... rehash: warning: skipping ca-certificates.crt, it does not contain exactly one certificate or CRL 1 added, 0 removed; done. Running hooks in /etc/ca-certificates/update.d... Adding debian:ZZ-Root-CA.pem done. Updating Mono key store Linux Cert Store Sync - version 4.6.2.0 Synchronize local certs with certs from local Linux trust store. I already trust 137, your new list has 138 Import process completed. done.
4. Verify the ca-certificates PEM store:
herong$ more ZZ-Root-CA.pem -----BEGIN CERTIFICATE----- MIIB+zCCAYKgAwIBAgIJAIZgMcdaWuMDMAkGByqGSM49BAEwIjELMAkGA1UEBhMC WloxEzARBgNVBAMTClpaIFJvb3QgQ0EwHhcNMjQxMTI0MTMwNzA4WhcNMjQxMjI0 MTMwNzA4WjAiMQswCQYDVQQGEwJaWjETMBEGA1UEAxMKWlogUm9vdCBDQTB2MBAG ... herong$ grep \ 'MTMwNzA4WjAiMQswCQYDVQQGEwJaWjETMBEGA1UEAxMKWlogUm9vdCBDQTB2MBAG' \ /etc/ssl/certs/ca-certificates.crt MTMwNzA4WjAiMQswCQYDVQQGEwJaWjETMBEGA1UEAxMKWlogUm9vdCBDQTB2MBAG herong$ ls -l /etc/ssl/certs/ | grep ZZ lrwxrwxrwx 1 root root 14 May 8 14:45 e3e10989.0 -> ZZ-Root-CA.pem lrwxrwxrwx 1 root root 41 May 8 14:45 ZZ-Root-CA.pem -> /usr/share/ca-certificates/ZZ-Root-CA.crt
5. Verify the ca-certificates JKS store:
herong$ keytool -list -keystore /etc/ssl/certs/java/cacerts \ -storepass changeit | grep zz Warning: use -cacerts option to access cacerts keystore debian:zz-root-ca.pem, 8 May 2026, trustedCertEntry, herong$ keytool -list -cacerts -storepass changeit | grep zz debian:zz-root-ca.pem, 8 May 2026, trustedCertEntry,
Table of Contents
Introduction of PKI (Public Key Infrastructure)
Introduction of PKI Certificate
OpenSSL - Cryptography Toolkit
"openssl ca" - CA (Certificate Authority) Tool
Java "keytool" Commands and KeyStore Files
PKCS12 Certificate Bundle File
Linux Trust Store for CA Certificates
►ca-certificates - Linux CA Certificate Package
What Is ca-certificates Package
What Is ca-certificates-java Package
What Is ca-certificates-mono Package
►"update-ca-certificates" to Add CA Certificate
"update-ca-certificates" to Disable CA Certificate
"update-ca-certificates" vs "trust" on Debian/Ubuntu Computers
update-ca-trust Command on Red Hat Computers