We’re already helping companies across Europe gear up for the 2026 eCoC deadline.

Learn more
En
Log in
Blog

Import New Trusted Root CA Certificates

Learn how to add root CA certificates to your local trust list in Ubuntu. Convert to PEM, copy to `/usr/local/share/ca-certificates`, and run `update-ca-certificates` for secure PKI operations.

15 Jun
,
2020
26 May
,
2025
# min read
Person using digital ID verification on smartphone with eID Easy app interface displayed

Quick Steps to Import a Root CA on Ubuntu

1. Ensure the certificate is in PEM format and has a .crt extension.

2. Copy the certificate to /usr/local/share/ca-certificates/.

3. Run the update command:

sudo update-ca-certificates

Debugging Certificate and Signature Issues with OpenSSL

OpenSSL is a powerful tool for working with certificates and signatures.
For example, verifying a certificate might fail if the issuer’s CA certificate is missing:

$ openssl verify 38112086027.cer
error 20 at 0 depth lookup: unable to get local issuer certificate
error 38112086027.cer: verification failed

This means the signing (issuer) certificate is missing from the trust store.

How to Resolve This

Step 1: Inspect the Certificate

Use OpenSSL to examine the signer certificate:

$ openssl x509 -in 38112086027.cer -text -noout

Key fields:

  • Issuer: C = EE, O = AS Sertifitseerimiskeskus, CN = ESTEID-SK 2015
  • Authority Information Access:
    • CA Issuers URL: http://c.sk.ee/ESTEID-SK_2015.der.crt

This points to the ESTEID-SK 2015 intermediate CA certificate.

Step 2: Download and Convert the Issuer Certificate

1. Download ESTEID-SK_2015.der.crt from the provided URL.

2. Convert it to PEM format:

$ openssl x509 -in ESTEID-SK_2015.der.crt -inform der -out ESTEID-SK_2015.pem.crt

Step 3: Verify the Chain

Check if verification succeeds using the issuer certificate:

$ openssl verify -CAfile ESTEID-SK_2015.pem.crt 38112086027.cer
38112086027.cer: OK

Step 4: Add the CA Certificate to Ubuntu Trust Store

Copy the PEM certificate:

$ sudo cp ESTEID-SK_2015.pem.crt /usr/local/share/ca-certificates/

Update the trust store:

$ sudo update-ca-certificates

Result:

  • Certificates are added under /etc/ssl/certs/.
  • OpenSSL now trusts signatures from this CA.

Verification:

$ openssl verify 38112086027.cer
38112086027.cer: OK

Potential Issues and Troubleshooting

1. OpenSSL Version Problems

Different Ubuntu versions may have different OpenSSL behaviors:

  • Ubuntu 18.04: OpenSSL 1.1.1
  • Ubuntu 20.04: OpenSSL 1.1.1f (known bugs)

Upgrading from OpenSSL 1.1.1e/f may cause issues with SSL connections (e.g., OpenVPN). In some cases, compiling a newer OpenSSL (e.g., 1.1.1g) manually may help but doesn't solve all problems.

Reference: GitHub Issue #11456

2. Certificate Permissions Issue

Newly added certificates might lack read permissions, leading to OpenSSL errors like:

Permission denied: fopen('/usr/lib/ssl/certs/xxxxx.0','r')

Solution: Set read permissions manually:

$ sudo chmod +r /usr/local/share/ca-certificates/ESTEID-SK_2015.pem.crt

Final Notes

  • The root CA for Estonian ID cards (EE Certification Centre Root CA) is usually already installed on Ubuntu.
  • Only intermediate CAs like ESTEID-SK 2015 may need manual installation.

By following these steps, you can properly trust and verify Estonian digital signatures or any other PKI-based certificates.

More latest articles

See all news
See all news
Discover eID Easy’s latest updates for September 2025, including MCP server and the Austrian wallet prototype, along with several improvements to identity and signature flows.
3 Sep
,
2025
12 Sep
,
2025
Product Updates

eID Easy Product Update: September 2025

Read article
Businesswoman using digital signature on tablet in modern office setting
31 Jan
,
2025
26 May
,
2025
eSignatures

Legal Clarity for eSignatures: Insights from an ECJ Ruling

Read article