Certificates in Linux are used to secure connections, verify the authenticity of services, and encrypt data. They play an important role in technologies such as HTTPS, VPN, SSH, TLS, and many others. In this article, we will look at what certificates are, how they work in the Linux environment, and how to create and configure them.
What is a certificate?
A certificate is a digital document that is used to verify the authenticity of a server or client. It contains:
- Public key;
- Owner information;
- Expiration date;
- Certificate authority (CA) signature.
The most common certificate format is X.509, often used with the TLS/SSL protocol to secure Internet connections.
Where are certificates used in Linux?
- Web servers (Apache, Nginx) — HTTPS protection;
- VPN (OpenVPN, WireGuard) — client and server authentication;
- Mail servers — secure messaging;
- SSH with two-factor authentication;
- Docker, Kubernetes — secure interaction between services.
Where are certificates stored in Linux?
Certificates and private keys are usually stored in the following directories:
- /etc/ssl/private/ Private keys (only accessible to root)
- /usr/local/share/ca-certificates/ Custom CAs for the system
- ~/.ssh/ SSH keys and certificates
- /etc/ssl/certs/ Public certificates
Creating a self-signed certificate
A self-signed certificate can be used for testing or in internal networks:
apt update && apt install openssl -y && \
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365

- -keyout key.pem — file with private key;
- -out cert.pem — certificate itself;
- -days 365 — validity period.
Note: openssl will ask you for certificate details — organization, country, CN (Common Name), etc.
Installing a certificate to the system (Debian/Ubuntu)
If you want to add a custom root certificate (for example, a corporate CA), place the certificate (in .crt format) in the directory:
sudo cp mycompany.crt /usr/local/share/ca-certificates/
Update the list of trusted certificates:
sudo update-ca-certificates
Checking the certificate
You can check the structure and validity of the certificate using the command:
openssl x509 -in cert.pem -text -noout
Check the correctness of the connection to the server:
openssl s_client -connect example.com:443
Removing or revoking a certificate
When the private key is lost or compromised, you need to revoke the certificate from the CA:
sudo rm /usr/local/share/ca-certificates/mycompany.crt
sudo update-ca-certificates --fresh
A separate configuration is required to organize a certificate revocation system (CRL/OCSP) - it is more often used in a corporate environment.
Certificates in Linux are an important element of the security system. They provide trust and encryption, without which a modern infrastructure is impossible. Knowing the basics of working with certificates, generating keys and setting up trusted centers is a useful skill for any administrator.