If you manage your own corporate or private Certificate Authority (CA), sooner or later you'll want to deploy the root CA's certificate on your Linux and Windows clients. This little How-To guides you through the process of deploying your root certificate.
Assumption: Your root CA's certificate is existent as root.cert.pem
Issue the following commands to import the new root certificate:
sudo mkdir /usr/local/share/ca-certificates/extra
sudo cp root.cert.pem /usr/local/share/ca-certificates/extra/root.cert.crt
sudo update-ca-certificates
The system trust store ist used by most basic tools such as wget and curl
Browsers on Linux, such as Firefox, Chromium, Chrome and Vivali won't use the system's trust store, but their own. Install libnss3-tools and execute the linux-browser-import.sh script to import your new root certificate into their trust stores (user-specific!)
Browsers will trust your CA after a restart.
Rename "root.cert.pem" to "root.cert.crt", so Windows will recognize the file as a certificate. Open the file and choose "Install certificate". Install the certificate to the "Trusted Root Certification Authorities" subdirectory - either system-wide or for a specific user only.
You can install new root certificates for every Windows domain participant via ActiveDirectory.
These browsers are using the Windows trust store and accept the certificate by default if it was installed into the Windows trust store before.
Firefox uses it's own trust store and therefore doesn't accept the Root CA even if Windows does. You can manually import the root certificate in the Firefox settings or enable experimental Windows trust store support:
Copy the file firefox-windows-truststore.js to Firefox's C:\Program Files (x86)\Mozilla Firefox\defaults\pref directory.
On the next start Firefox will trust your CA. This setting applies system-wide for all users.