How to Check and Verify CA Certificates in Ubuntu Linux

In the world of Linux security, Certificate Authorities (CAs) act as the trusted third parties that validate the identities of websites, servers, and clients.

Ubuntu comes with a pre-installed bundle of trusted root certificates, but knowing how to check, verify, and inspect these certificates is a crucial skill for system administrators and developers.

This guide covers where CA certificates are stored, how to list them, and how to verify their validity using standard command-line tools.

1. Where are CA Certificates Stored?

On Ubuntu (and most Debian-based systems), trusted CA certificates are stored in a few specific locations:

  • /etc/ssl/certs/: This is the primary directory where OpenSSL and other applications look for trusted certificates. It contains individual certificate files and symbolic links (often named with hash values) to the actual certificates.
  • /etc/ssl/certs/ca-certificates.crt: This is a single concatenated file containing all trusted CA certificates on the system. Many applications (like Python requests or curl) use this specific file instead of scanning the entire directory.
  • /usr/share/ca-certificates/: This directory holds the original certificate files provided by the ca-certificates package.

2. Listing All Installed CA Certificates

Because the main bundle is a single file, you cannot simply “read” it to see a list of names. However, you can use awk and openssl to extract the “Subject” (the name of the organization) from every certificate in the bundle.

Run the following command in your terminal:

awk -v cmd='openssl x509 -noout -subject' '/BEGIN/{close(cmd)};{print | cmd}' < /etc/ssl/certs/ca-certificates.crt

What this does:

  1. It reads the bundle file /etc/ssl/certs/ca-certificates.crt.
  2. It splits the file into individual certificates (delimited by BEGIN).
  3. It pipes each certificate into openssl to extract and print the Subject line.

You will see output similar to this:

subject= /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
subject= /C=US/O=Internet Security Research Group/CN=ISRG Root X1
...

3. Checking for a Specific Certificate

If you want to check if a specific CA (like “Let’s Encrypt” or a corporate internal CA) is currently trusted by your system, you can grep the bundle.

Search by Name

To verify if “ISRG Root X1” (the root for Let’s Encrypt) is trusted:

See also: Mastering the Linux Command Line — Your Complete Free Training Guide 

grep -i "ISRG Root X1" /etc/ssl/certs/ca-certificates.crt
  • If it returns text: The certificate name is present in the bundle.
  • If it returns nothing: The certificate is likely not installed or trusted.

Search by File

If you have a specific certificate file (e.g., my-cert.pem) and want to check its details, use openssl:

openssl x509 -in my-cert.pem -text -noout
  • in: The input file.
  • text: Prints the certificate details (Validity, Issuer, Subject, etc.) in plain text.
  • noout: Prevents outputting the encoded certificate itself.

4. Verifying Server Certificates against the CA Store

Sometimes the issue isn’t the certificate itself, but whether your system trusts a remote server. You can use the openssl s_client tool to test this.

To check if your Ubuntu system trusts google.com:

openssl s_client -connect google.com:443 -CAfile /etc/ssl/certs/ca-certificates.crt

Analyze the Output:

  • Look for the Verify return code at the very end of the output.
  • Success: Verify return code: 0 (ok) — This means your system trusts the CA that signed Google’s certificate.
  • Failure: Verify return code: 19 (self signed certificate in certificate chain) or similar errors indicate a trust issue.

5. How to Add a New Custom CA Certificate

If you need to trust a custom CA (e.g., for a corporate intranet or a local development environment), you should not manually edit the /etc/ssl/certs files. Instead, use the update-ca-certificates tool.

  1. Copy your certificate (must be .crt extension) to the shared folder: sudo cp my-custom-ca.crt /usr/local/share/ca-certificates/
  2. Update the store: sudo update-ca-certificates

You should see output indicating that 1 certificate was added. This automatically updates /etc/ssl/certs/ca-certificates.crt and creates the necessary symlinks.

Summary Command Sheet

ActionCommand
List all CA Subjects`awk -v cmd=’openssl x509 -noout -subject’ ‘/BEGIN/{close(cmd)};{print
Inspect a Cert Fileopenssl x509 -in [filename] -text -noout
Verify Remote Siteopenssl s_client -connect [domain]:443
Update CA Storesudo update-ca-certificates
David Cao
David Cao

David is a Cloud & DevOps Enthusiast. He has years of experience as a Linux engineer. He had working experience in AMD, EMC. He likes Linux, Python, bash, and more. He is a technical blogger and a Software Engineer. He enjoys sharing his learning and contributing to open-source.

Articles: 589

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *