look@me

Handling SSL Errors from Corporate TLS Inspection on Linux

Corporate TLS inspection proxies can intercept HTTPS traffic and re-sign certificates with an internal company CA. Windows machines often receive this CA automatically via Group Policy. Linux systems have no equivalent automatic deployment mechanism, so SSL verification fails for tools like curl, git, and apt until the CA is installed manually.

Linux here means mainly Ubuntu/Debian, but the general approach should apply to other distributions as well.

Find the missing certificate

First, we inspect the certificate chain of a failing host (here microsoft.com).

openssl s_client -connect microsoft.com:443 -showcerts 2>/dev/null </dev/null | openssl x509 -noout -issuer -subject

If the issuer shows an internal proxy CA instead of a public one like DigiCert or Let's Encrypt, the connection is being intercepted:

issuer=C = US, ST = WA, L = Olympia, O = Evil Corp, OU = IT, CN = Acme TLS Inspection
subject=C = US, ST = WA, L = Redmond, O = Microsoft Corporation, CN = microsoft.com

The issuer name (here Acme TLS Inspection) is what to search for in the next step. Note that this command identifies the intercepting CA but does not produce an installable certificate β€” for that, use the Windows export below.

Export the certificate from Windows

Since Windows already has the CA in its trust store, we can export it directly from there.

  1. Open Run (Win+R) β†’ type certmgr.msc β†’ Enter
  2. Navigate to Trusted Root Certification Authorities β†’ Certificates
  3. Find the corporate CA cert (search by the issuer name we saw above)
  4. Right-click β†’ All Tasks β†’ Export…
  5. Select Base-64 encoded X.509 (.CER) format1
  6. Choose a name and location for the exported certificate (e.g., corporate-ca.cer)

Install the certificate on Linux

After copying the exported certificate file to Linux, we install it into the system trust store.2

sudo mv corporate-ca.cer /usr/local/share/ca-certificates/corporate-ca.crt
sudo update-ca-certificates

Important: The extension must be .crt for update-ca-certificates to pick it up.

  1. Choosing another format than base-64 will later break the import or can require an additional conversion step.

  2. Before trusting a corporate CA globally, you should verify the certificate fingerprint with your IT department. Importing the wrong root CA can allow malicious TLS certificates to be trusted.

#linux #security #shell #windows #wsl