Trust a certificate from a private local certificate authority
Overview
Make your device trust your private CA for TLS encryption.
Prerequisites
- A local CA running (in our case step-ca) and reachable at
CA_URL, for instancehttps://local-ca.homelab.internal:443 - An end device with access to a normal shell (eww, Powershell).
- very basic understanding of what a PKI is and how certificate trust works.
Initial problem
When doing
curl $CA_URLyou get :
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the webpage mentioned above.
Which is normal as your root Certificate authority uses a self-signed certificate.
Steps
Step 1: Setup
If not already done, install step cli on your end-device :
brew install steprefer to official documentation https://smallstep.com/docs/step-ca/installation/ for additional installation details for your OS.
Step 2 : get CA fingerprint
CA_FINGERPRINT is the fingerprint of your root certificate.
If you don’t have any other device than Step CA with the CA configured, run
Inside of your host/container running step CA (or any client with step ca already configured)
step certificate fingerprint <(step ca root)Step 3: Bootstrap cert
You’ll need to run :
step ca bootstrap --ca-url $CA_URL --fingerprint $CA_FINGERPRINTwhere CA_URL is the address of the CA with protocol
Step 3 : Install certificate
step certificate install <(step ca root)Step 4: Verification
In most modern distributions and UNIX derivatives, curl (particularly when installed by default) is configured to run with the system trust store
Now after running
curl $CA_URLyou get
404 page not found
Which is completely fine.
You successfuly installed a certificate.
References
- https://smallstep.com/docs/step-ca/installation/
- Related resources
Created: 2026-01-11