Ask / Submit

Where can I add a system CA certificate

asked 2013-12-26 21:52:24 +0300

AL13N gravatar image

updated 2013-12-26 21:54:58 +0300

Where can I add a system CA certificate ( cacert )? the directory path for system CA certificates?

eg: my website is signed by it, and same thing with my mailserver (smtp, imap).

GUI question is here

edit retag flag offensive close delete


Certificates seem to be in /etc/pki/tls/certs

onion ( 2013-12-26 22:00:34 +0300 )edit

@onion the CA ones too?

AL13N ( 2013-12-26 22:04:47 +0300 )edit

4 Answers

Sort by » oldest newest most voted

answered 2014-01-12 12:38:35 +0300

AL13N gravatar image

updated 2014-01-12 12:42:18 +0300

Make sure you're root on your device, with devmode and devel-su, then first install openssl:

pkcon install openssl

Then go the CA path, fetch the root certificate and install it:

cd /etc/pki/tls/certs/
curl -o ca-cert-root.pem
ln -s ca-cert-root.pem $( openssl x509 -hash -noout -in ca-cert-root.pem )".0"

Testing it with openssl:

openssl s_client -connect -CApath /etc/pki/tls/certs

unfortunately, the native browser doesn't seem to use the CA certificates, so, next you can follow this post.

edit flag offensive delete publish link more



The native browser is gecko/firefox based, it brings its own certificate storage, your observation is correct.

tbr ( 2014-01-12 15:15:11 +0300 )edit

Does it make sense to copy this openssl-named file to /system/etc/security/cacerts for android stuff? (copy not symbolic link!)

cy8aer ( 2014-03-24 14:50:46 +0300 )edit

I have followed the above to add Class 1 PKI Key Root Certificate and the below Class 3 PKI Key Intermediate Certificate but I am still getting in the web browser "This Connection is Untrusted" msg. when trying to access https page secured by certificates I have generated for the site (Error code is: sec_error_unknown_issuer).

m2 ( 2014-04-25 20:13:46 +0300 )edit

@m2 follow the link at the end of this answer! Repeating it here for clarity: This answer is NOT about importing certificates to be used by the browser!

tbr ( 2014-04-25 21:48:08 +0300 )edit

Is the "browser step" still needed with 1.1.7?

From the release notes: Introduce certificate handling middleware (p11-kit). All crypto libraries now share one CA store.

ilpianista ( 2015-07-15 14:01:37 +0300 )edit

answered 2014-01-15 18:00:50 +0300

nblr gravatar image

updated 2014-08-05 18:15:54 +0300

Instead of using the lengthy and awkward ln -s [...] you can use multi_c_rehash which is a quite convenient tool that came out of the mer project and can be used to create the hash-symlinks in the /etc/pki/tls/certs directory.

so... just place the (ca) certificate in the directory /etc/pki/tls/certs in pem format and run multi_c_rehash afterwards. - don't forget to devel_su first :-)

edit flag offensive delete publish link more

answered 2013-12-26 22:11:58 +0300

onion gravatar image

updated 2013-12-26 22:30:20 +0300

AL13N gravatar image

First, install openssl: pkcon install openssl

Go to /etc/pki/tls/certs

Then, download the ca-cert certificate: curl -o ca-cert-c3.pem

Get the required hash link using openssl:

ln -s ca-cert-c3.pem $( openssl x509 -hash -noout -in ca-cert-c3.pem )".0"

That should be it.

edit flag offensive delete publish link more


I'll accept the answer when i eventually get my Jolla :-)

AL13N ( 2013-12-26 22:30:42 +0300 )edit

tried that, but did not solve the original problem with XMPP with my own jabber server (see With "bool:ignore-ssl-errors=false" the native im-client does not connect.

thessy ( 2013-12-27 21:44:33 +0300 )edit

Kiitos, that works for apps using openssl. RFE: add a Makefile in /etc/pki/tls/certs like most distros have (shout if you want me to dig one out)

pcfe ( 2013-12-28 17:12:16 +0300 )edit

"is that really all for the certificates? What about /system/etc/security/cacerts? All out of the box certificates in /etc/pki/tls/certs seem to symbolic link into this directory... " (by @cy8aer )

AL13N ( 2013-12-30 18:38:08 +0300 )edit

@onion tried to verify with

openssl s_client -connect -CApath /etc/pki/tls/certs

and it failed to find issuer

AL13N ( 2014-01-12 01:21:21 +0300 )edit

answered 2015-10-14 14:59:35 +0300

Jfish gravatar image


Now do not necessarily need to install openssl.

Here are the contents of the file README(in /etc/pki/ca-trust/source/README) what to do.

This directory /etc/pki/ca-trust/source/ contains CA certificates and
trust settings in the PEM file format. The trust settings found here will be
interpreted with a high priority - higher than the ones found in 
QUICK HELP: To add a certificate in the simple PEM or DER file formats to the
        list of CAs trusted on the system:

        Copy it to the
        subdirectory, and run the

        If your certificate is in the extended BEGIN TRUSTED file format,
        then place it into the main source/ directory instead.
        Please refer to the update-ca-trust(8) manual page for additional information.
edit flag offensive delete publish link more
Login/Signup to Answer

Question tools



Asked: 2013-12-26 21:52:24 +0300

Seen: 5,124 times

Last updated: Oct 14 '15