Installing Windows CA Root certificate on Linux and Firefox

In my lab I have a Windows domain controller which has certificate services installed and configured. For Windows systems, group policy properly delivers this certificate to clients. However, in my Linux system this certificate is not installed. Additionally, even after installing the certificate for system use, the Firefox web browser doesn’t immediately trust this root certificate. In the following article we will walk through the steps needed to configure this Windows CA root certificate on Linux (Ubuntu 20.04) and Firefox.

  1. Go to the Windows CA server, in my case https://ca.example.com/certsrv/.
  2. Select ‘Download a CA certificate, certificate chain, or CRL.
  3. Select DER and ‘Download CA certificate’
  4. This will download a certnew.cer file
  5. Convert the certificate to the proper format with openssl. We can do this step on either Windows or Linux, in the sample below we will use our Windows system:

openssl x509 -inform DER -in "C:\Users\bwuchner\Downloads\certnew.cer" -out d:\tmp\ca-example-com.crt

  1. We must now get the contents of this ca-example-com.crt file copied to our Linux VM. At this point the certificate is in a text format, so I chose to create a new file and paste in the contents. For example:

sudo nano /usr/local/share/ca-certificates/ca-example-com.crt

  1. We must now change the permissions of the file such that the owner has read/write and all other users can read. We will do this with the following command:

sudo chmod 644 /usr/local/share/ca-certificates/ca-example-com.crt

  1. Now that the certificate is in the proper location, format, and permissions, we’ll run the update process:

sudo update-ca-certificates

From here we could test and confirm that our certificate is properly installed on the system by trying to access a site using this cert. For example: wget https://vc1.example.com

This should no longer return text similar to Unable to locally verify the issuer's authority.

Next we need to update Firefox to trust this root certificate as well. We will do this by creating a custom Firefox policy on the system. To begin we will create a policy file with a text editor, for example:sudo nano /usr/lib/firefox/distribution/policies.json

In this file we will add the following JSON formatted string: { "policies": { "Certificates": { "ImportEnterpriseRoots": true, "Install": ["/usr/local/share/ca-certificates/ca-example-com.crt"] } } }

The next time you start Firefox, this root certificate will be trusted and you should no longer receive warnings when browsing your internal sites.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

Notify me of followup comments via e-mail. You can also subscribe without commenting.