This is my personal guide for installing the UCLab root CA certificate on Arch Linux, ensuring it’s trusted by the system and all major browsers including Microsoft Edge.
Prerequisites
- Root/sudo access
- The
uclab-root-ca.cercertificate file - The certificate is already in PEM format (no conversion needed)
Step 1: Install Certificate System-Wide
Copy the UCLab certificate to the system trust store:
sudo cp uclab-root-ca.cer /etc/ca-certificates/trust-source/anchors/
Update the system trust store:
sudo trust extract-compat
Verify the certificate was added:
trust list | grep -i uclab
You should see:
label: uclab-AD1-CA
At this point, most command-line tools (curl, wget, git, etc.) and some browsers will trust your CA.
Step 2: Configure Microsoft Edge (and Chrome/Chromium)
Edge and Chromium-based browsers on Linux use the NSS (Network Security Services) certificate database, which is separate from the system trust store.
Add Certificate to NSS Database
First, check your NSS database location:
ls -la ~/.pki/nssdb/
Add your certificate to the NSS database:
certutil -A -n "uclab-AD1-CA" -t "C,," -i /etc/ca-certificates/trust-source/anchors/uclab-root-ca.cer -d sql:$HOME/.pki/nssdb
Important notes:
- Don’t use
sudo- this modifies your user’s database, not root’s - The
-t "C,,"flag sets the certificate as trusted for SSL/TLS
Verify Installation
List certificates in your NSS database:
certutil -L -d sql:$HOME/.pki/nssdb
You should see your certificate listed with trust attributes C,,:
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
uclab-AD1-CA C,,
Restart Edge
Kill all Edge processes and restart:
pkill -9 msedge
Then launch Edge normally. Your custom CA should now be trusted.
Verification
Test that your certificate works:
# Test with curl (replace with your actual UCLab domain)
curl -v https://your-uclab-site.example.com
# View certificate details in NSS database
certutil -L -d sql:$HOME/.pki/nssdb -n "uclab-AD1-CA"