4. Install the Certificate Authority Certificate

In this chapter we will explain how to find the Certificate Authority (CA) and how to install it on the server

4.1. Locate the CA certificate

If you are unable to find your CA certificate or your issuer did not provide one, below are the steps to locate and convert your CA.

Convert your .p12 certificate to a .pem certificate.

openssl pkcs12 -in certificate.p12 -out user.pem -clcerts -nokeys

Now open this .pem file and search for the CA certificate within this file.

openssl x509 -in user1.pem -text | grep CA

Use wget to download this certificate.

wget <certificate URL>

If the .crt is in binary format, convert it.

openssl x509 -inform DER -outform PEM -in binary.crt -out txt.crt

Now copy this certificate to the correct folder and update certificates.

4.2. Extract the CA certificate from PKCS #12

Another possibility is extracting CA certificate from your pkcs file. If the pkcs does not contain a CA certificate the output of your file will be empty.

openssl pkcs12 -in certificate.p12 -cacerts -nokeys -out ca.crt


We recommend using the CA certificate your certificate issuer provides.

4.3. Install the CA certificate

4.3.1. DEB based

Copy your CA certificate to the ca-certificate folder:

cp ca.crt /usr/local/share/ca-certificates

Update the certificates

update-ca-certificates -f -v

4.3.2. RPM based

Install the ca-certificates package:

yum install ca-certificates

Enable the dynamic CA configuration feature:

update-ca-trust enable

Convert your ca.crt to .pem format:

mv ca.crt ca.pem

Add it as a new file to /etc/pki/tls/certs/:

cp ca.pem /etc/pki/tls/certs/

Now regenerate the hash links so the system easily finds it:



Make sure your CA certificates can be read by the user which runs the web server, for example www-data on Debian and Ubuntu.