Trust a self signed PEM certificate

  1. Copy your cert to /etc/ssl/certs on the target system. Then create a symlink using the hash generated by the command openssl x509 -noout -hash -in ca-certificate-file replacing ca-certificate-file with your certificate name. Your certificate should then be accepted by all programs without their own certificate store.

    For programs with their own certificate store (browsers, Java, and others) you will need to import the certificate.

  2. Generating your own self-signed or signed certificate is best.

    You may want to install tinyca2 and generate your own certificate authority. You can import the certificate authority certificate as detailed in the steps above. Generate and deploy signed certificates for your applications.

    Distribute your CA certificate to those users who need to trust your certificate. You may need to provide information on how to import the certificate to them. WARNING: If they do this, you become another trusted CA for them, so secure your CA accordingly.

    Many tools can also be configured to trust self-signed certificates, or certificates with untrusted CAs. This is usually a one time action. This can be more secure that accepting an CA certificate from an insecure authority, only the accepted certificate is trusted.


On Debian and Ubuntu you have to copy the certificate.pem to /usr/local/share/ca-certificates/certificate.crt and then run dpkg-reconfigure ca-certificates. /etc/ssl/certs is managed by that command.


Browsers have a list of trusted "certification authority" (CA) certificates. If a server's certificate is signed by one of those CA certificates and properly formed, you won't get the SSL warning.

Many browsers ship with many common CA certificates such as Verisign, Thawte, etc. Most browsers allow you to import a new CA into this list of trusted CAs.

Like creating your own self-signed server certificate, you can create your own self-signed CA certificate. You can then use that to sign your server certificate. If your CA is not provided by a well-known company, which it wouldn't be if it's one you made, it will have to be explicitly imported on the server side.

I've used xca to do this before. It has templates for CAs and HTTP servers. The procedure is this:

  • Create a private key for your CA
  • Create a self-signed CA using this key using the "CA" template
  • Create a private key for your proxy server
  • Create a "certificate signing request" (CSR) using the second key, referencing the CA you just made.
  • "Sign" the CSR and you'll have the proxy server certificate, which references your own CA.

You will then need to export (as a file if using xca) the CA certificate (but don't include private key of course). A .pem will be generated but you can change the extension to .crt. When a user clicks on that, it will be offered to be installed on Firefox and Internet Explorer, and possibly other major browsers. As far as automatic installation of this .crt, you can:

  • use group policy on IE
  • direct users to an introduction page asking them to download/install the .crt if they want to avoid warnings.

You can then use the export functions on HTTP server certificate (export both private key and certificate for the server side) to put on your proxy server.