Skip to main content

Adding your CA to Trusted Root CA store of devices

Install the CA Cert as a trusted root CA

On Windows:

Assuming the path to your generated CA certificate as C:\ca.pem, run:

Import-Certificate -FilePath "C:\ca.pem" -CertStoreLocation Cert:\LocalMachine\Root
  • Set -CertStoreLocation to Cert:\CurrentUser\Root in case you want to trust certificates only for the logged in user.


In Command Prompt, run:

certutil.exe -addstore root C:\ca.pem
  • certutil.exe is a built-in tool (classic System32 one) and adds a system-wide trust anchor.
On Android:

The exact steps vary device-to-device, but here is a generalised guide:

  1. Open Phone Settings
  2. Locate Encryption and Credentials section. It is generally found under Settings > Security > Encryption and Credentials
  3. Choose Install a certificate
  4. Choose CA Certificate
  5. Locate the certificate file ca.pem on your SD Card/Internal Storage using the file manager.
  6. Select to load it.
  7. Done!
On Debian & Derivatives (Ubuntu):
  • Move the CA certificate (ca.pem) into /usr/local/share/ca-certificates/ca.crt.
  • Update the Cert Store with:
sudo update-ca-certificates

Refer to the documentation here and here.

On Fedora
  • Move the CA certificate (ca.pem) to /etc/pki/ca-trust/source/anchors/ca.pem or /usr/share/pki/ca-trust-source/anchors/ca.pem
  • Now run (with sudo if necessary):

Refer the documentation here.

On Arch

System-wide – Arch(p11-kit) (From arch wiki)

  • Run (As root)
trust anchor --store myCA.crt
  • The certificate will be written to /etc/ca-certificates/trust-source/myCA.p11-kit and the "legacy" directories automatically updated.
  • If you get "no configured writable location" or a similar error, import the CA manually:
  • Copy the certificate to the /etc/ca-certificates/trust-source/anchors directory.
  • and then

wiki page here

On Firefox:

Click on the top-right Hamburger Menu, and click on settings.

On the left menu, select Privacy and Security

Scroll down until you see certifcates. Click on that and select Import CA. This should pop up a file browser. Navigate to your ssl-certs folder and select your ca.pem file to import your CA into firefox.

You only need to do this for firefox as it seems to ignore the windows Trusted Root CAs.

And with that, you have successfully become your own CA, created signed SSLs using this CA and added to the devices you wish to access your local services from. Well Done!