Para mim, colocar um certificado de CA raiz em /usr/local/share/ca-certificates
e executar update-ca-certificates
funciona bem. Isso não afeta o Firefox nem o Google Chrome, pois eles usam seus próprios armazenamentos de certificados, mas ferramentas como wget
funcionam bem.
De acordo com man update-ca-certificates
:
It reads the file /etc/ca-certificates.conf. Each line gives a pathname
of a CA certificate under /usr/share/ca-certificates that should be
trusted. Lines that begin with "#" are comment lines and thus ignored.
Lines that begin with "!" are deselected, causing the deactivation of
the CA certificate in question. Certificates must have a .crt extension
in order to be included by update-ca-certificates.
Furthermore all certificates with a .crt extension found below
/usr/local/share/ca-certificates are also included as implicitly
trusted.