A service of Daily Data, Inc.
Contact Form

Unix Server Tech Knowledge Base

User Tools

Site Tools

Trace: Install CA on workstations
software:openssl:installca

This is an old revision of the document!

Table of Contents

Install CA on workstations

Installation depends on the operating system of the workstation (or other device) you need the CA installed on. Note, this is only needed on workstations or machines which will be accessing the services. You do not need to install this on the servers which provide the service, though it is acceptable to do so.

For a few workstations, it is easier to do a manual install. For a more complex environment, it is better to spend some time writing scripts to do the installation for you.

Microsoft Windows

Manual Install

This is the simplest for a small number of Windows computers. Put the Certificate (PEM file) on a thumb drive or a Windows File Share (SMB). On each machine:

  1. Be sure you are an administrator
  2. Locate Certificate
  3. Double click on the certificate
  4. Follow the prompts to install Certificate in the ROOT store

Automated Install

The simplest thing I can come up with is to create a share (SMB, whatever) that you can access from all machines, then place the CA Certificate (PEM file) in that share. A possible PowerShell script (untested so far) can be placed in that directory. Now, you can go to that directory on each machine and run the script. This script does not check if the CA was already there; it just replaces it if it exists.

The script requires administrator privileges.

installCA.ps1
# Ensure this script runs as an administrator
if (-Not ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {
    throw "Run this script as Administrator!"
}
 
# change this to the actual name of your Certificate
$PemFileName = "ca.pem"
 
# Define the path to the PEM file
$CurrentDir = Split-Path -Parent $MyInvocation.MyCommand.Path
$PemFilePath = Join-Path -Path $CurrentDir -ChildPath $PemFileName
 
# Check if PEM file exists
if (-Not (Test-Path $PemFilePath)) {
    throw "CA PEM file not found at path: $PemFilePath"
}
 
# Import CA from PEM file using certutil
Write-Host "Importing the Certificate Authority from PEM file..." -ForegroundColor Cyan
 
certutil -addstore -f "ROOT" $PemFilePath
 
# Verify that the CA was imported successfully
$importedCA = Get-ChildItem Cert:\LocalMachine\Root | Where-Object { $_.Subject -like "*CN=*" }
if ($importedCA) {
    Write-Host "Successfully imported CA from PEM file:" -ForegroundColor Green
    $importedCA | Format-Table -Property Subject, Thumbprint
} else {
    Write-Host "Failed to import CA from PEM file." -ForegroundColor Red
}

Using GPO in a Windows Domain

It is possible (untested) to run the above script from a GPO script to install the CA Certificate on many machines if they are connected to a Windows Domain. The following script is modified to work within a Windows Domain.

installCADomain.ps1
# Ensure this script runs as an administrator
if (-Not ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {
    throw "Run this script as Administrator!"
}
 
# change this to the actual name of your Certificate
$PemFileName = "ca.pem"
 
# Define the path to the PEM file
$CurrentDir = Split-Path -Parent $MyInvocation.MyCommand.Path
$PemFilePath = Join-Path -Path $CurrentDir -ChildPath $PemFileName
 
# Function to check if CA is already installed
function Check-CAInstalled {
    $caExists = Get-CertificateAuthority -ErrorAction SilentlyContinue
    if ($caExists) {
        Write-Host "A Certificate Authority is already installed:" -ForegroundColor Yellow
        $caExists | Format-Table -Property CAName, CAType, CADuration
        return $true
    }
    return $false
}
 
# Check if a CA is already installed
if (Check-CAInstalled) {
    Write-Host "Exiting script as CA installation is not required." -ForegroundColor Green
    exit
}
 
# Check if PEM file exists
if (-Not (Test-Path $PemFilePath)) {
    throw "CA PEM file not found at path: $PemFilePath"
}
 
# Install the AD Certificate Services role if it’s not installed
Install-WindowsFeature -Name AD-Certificate -IncludeManagementTools
 
# Import the CA from PEM file using certutil
Write-Host "Importing the Certificate Authority from PEM file..." -ForegroundColor Cyan
 
certutil -addstore -f "ROOT" $PemFilePath
 
# Verify that the CA was imported successfully
$importedCA = Get-ChildItem Cert:\LocalMachine\Root | Where-Object { $_.Subject -like "*CN=*" }
if ($importedCA) {
    Write-Host "Successfully imported CA from PEM file:" -ForegroundColor Green
    $importedCA | Format-Table -Property Subject, Thumbprint
} else {
    Write-Host "Failed to import CA from PEM file." -ForegroundColor Red
}

Linux

Each type of Linux distribution can have a different way of importing a CA, but the procedure is basically the same.

  1. Copy PEM to a specified directory
  2. run a command to update the list of CA's

Debian derivatives

Manual

installDebianCA
sudo cp ca.pem /usr/local/share/ca-certificates/
sudo update-ca-certificates

Automated

  1. Place PEM file in a server with access to other machines (like an ansible server)
  2. Requires root access on all target machines
  3. Run the following script for each machine
./installDebianCA targetMachine /path/to/cert.pm
installDebianCA
#!/bin/bash
 
# Check if the required parameters are provided
if [ $# -ne 2 ]; then
    echo "Usage: $0 <target_machine> <path_to_ca_cert>"
    echo "Example: $0 target_machine /path/to/ca.pem"
    exit 1
fi
 
TARGET_MACHINE=$1
CA_CERT_PATH=$2
 
# Check if the CA certificate file exists locally
if [ ! -f "$CA_CERT_PATH" ]; then
    echo "CA certificate not found at $CA_CERT_PATH"
    exit 1
fi
 
# Copy the CA certificate to the target machine
echo "Copying CA certificate to $TARGET_MACHINE..."
scp "$CA_CERT_PATH" root@"$TARGET_MACHINE":/usr/local/share/ca-certificates/
 
# Connect to the target machine and update CA certificates
echo "Updating CA certificates on $TARGET_MACHINE..."
ssh root@"$TARGET_MACHINE" << 'EOF'
    echo "Updating CA certificates..."
    update-ca-certificates
    echo "CA certificates updated successfully."
EOF
 
echo "CA certificate installation completed on $TARGET_MACHINE."

RedHat Based

Manual

cp pemfile /etc/pki/ca-trust/source/anchors/
update-ca-trust

Automated

The same script as Debian, but the temporary path to store and the command to update known CA's is different. Here is the full script.

updateRedHatCA
#!/bin/bash
 
# Check if the required parameters are provided
if [ $# -ne 2 ]; then
    echo "Usage: $0 <target_machine> <path_to_ca_cert>"
    echo "Example: $0 target_machine /path/to/ca.pem"
    exit 1
fi
 
TARGET_MACHINE=$1
CA_CERT_PATH=$2
 
# Check if the CA certificate file exists locally
if [ ! -f "$CA_CERT_PATH" ]; then
    echo "CA certificate not found at $CA_CERT_PATH"
    exit 1
fi
 
# Copy the CA certificate to the target machine
echo "Copying CA certificate to $TARGET_MACHINE..."
scp "$CA_CERT_PATH" root@"$TARGET_MACHINE":/etc/pki/ca-trust/source/anchors/
 
# Connect to the target machine and update CA certificates
echo "Updating CA certificates on $TARGET_MACHINE..."
ssh root@"$TARGET_MACHINE" << 'EOF'
    echo "Updating CA certificates..."
    update-ca-trust
    echo "CA certificates updated successfully."
EOF
 
echo "CA certificate installation completed on $TARGET_MACHINE."
software/openssl/installca.1760911957.txt.gz · Last modified: 2025/10/19 17:12 by rodolico