How to install certificates for command line

TL;DR

For everything to work and not only your browser, you need to add that CA certificate to the system's trusted CA repository.

In ubuntu:

  • Go to /usr/local/share/ca-certificates/
  • Create a new folder, i.e. "sudo mkdir school"
  • Copy the .crt file into the school folder
  • Make sure the permissions are OK (755 for the folder, 644 for the file)
  • Run "sudo update-ca-certificates"

Why

Let me explain what is going on also, so the other posters see why they don't need any certificate to use Github over HTTPS.

What is going on there is that your school is intercepting all the SSL communications, probably in order to monitor them.

To do that, what they do is in essence a "man in the middle" attack, and because of that, your browser complains rightfully that he is not being able to verify github's certificate. Your school proxy is taking out github's cert and instead providing its own cert.

When your browser tries to verify the school's provided cert against the CA that signed github's cert, it rightfully fails.

So, for the SSL connection to work in the school, you need to consciously accept that "MITM" attack. And you do that by adding the school's CA certificate as a trusted one.

When you trust that school CA, your verification of the fake github cert will work, since the fake github cert will be verified by the school CA.

Be aware that SSL connection is not safe anymore since your school administrator will be able to intercept all your encrypted connections.


The ca-certificates package has the instructions in its README.Debian:

If you want to install local certificate authorities to be implicitly trusted, please put the certificate files as single files ending with .crt into /usr/local/share/ca-certificates/ and re-run update-ca-certificates.

Note that it mentions a directory different from the other answers here:

/usr/local/share/ca-certificates/

After copying into /usr/local/share/ca-certificates/ you can then update the cert's permissions and run sudo update-ca-certificates as mentioned in Telegraphers answer. You will see in the output that the cert was added.


Extensions .crt, .pem and .cer are interchangeable, just change the file name extension, they have the same form. Try this:

$ sudo cp mycert.cer /usr/share/ca-certificates/mycert.pem
$ sudo dpkg-reconfigure ca-certificates
$ sudo update-ca-certificates
$ git config --global http.sslCAInfo /usr/share/ca-certificates/mycert.pem