Adding a new trusted certificate authority

In this blog post we show you how to add a custom certificate authority to the trusted certificate authorities of an OS distribution. Additional, we’ll publish an Ansible playbook to manage the trusted certificates.

Debian / Ubuntu

To trust a certificate authority on a Debian or Ubuntu system, you’ve to save your custom certificate authority file(s) to the directory /usr/local/share/ca-certificates. After that, run the binary /usr/sbin/update-ca-certificates to update the trusted certificate authority file of the OS.

Red Hat / Centos

On a Red Hat Enterprise Linux 6 system, just add your certificate authority file(s) to the directory /usr/local/share/ca-certificates. For RHEL7 use the directory /etc/pki/ca-trust/source/anchors. On both systems you have to exectue the command /bin/update-ca-trust for update the certificate authority file.

Ansible Playbook

You can manage your trusted certificates with this Ansible playbook. It should work on Red Hat Enterprise Linux / Centos 6 & 7 and Debian 7 & 8. If you would like to use it on Fedora or Ubuntu, you’ve to add some when conditions or expand the ca_path dict. After you run the playbook, the certificates will be added and the certificate authority file will be updated, so they are trusted by the OS.

Now you just can add your trusted certificates in the directory that is defined in the playbook, in our case files/ca.


After you used the manual steps or run the Ansible playbook, you can verify, if your certificate authority was successfully added.

On Red Hat / Centos, please check the following file. It includes all trusted certificate authorities.

And on Debian / Ubuntu just use this file for verification.

ansible_distribution vs ansible_os_family

In the playbook above, we use the Ansible fact ansible_os_family that differs from  ansible_distribution. Every ansible_distribution is linked to an  ansible_os_family. Here is the Ansible dict with the allocation of the OS distribution to the OS family.

In case you’re running Ansible on an Ubuntu system, the facts are set like that:



  • Binh Thanh Nguyen Reply

    Thanks, nice tips

  • Lex Reply

    Thanks, useful.

    Some fixes for 2017: It’s enough to use

    RedHat: /etc/pki/ca-trust/source/anchors
    Debian: /usr/local/share/ca-certificates

    In vars without [ansible_distribution_major_version|int] in task, this will also make it easier to deal with ubuntu without adding major version for each distro and since centos 6 understands /etc/pki/ca-trust/source/anchors as well.

    Also apt/rpm can be shorted to

    – name: install ca package
    name: ca-certificates
    state: present

    instead of 1 task per rhel/debian.

    • Dominique Barton Reply

      Thanks for the update! 🙂

  • Stephe Reply

    Thanks for this article. I found it really helpful and was exactly what I was looking for

  • Guyen Reply

    This is good information. Thanks. If we wanted to provide a curated list of all trusted Root CAs and Intermediate CAs to our Redhat administrators could we simply include all of them in a single .pem file or is there a better way to distribute the official trust list?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.