---
title: Trust a certificate from a private local certificate authority
publish: true
date: 2026-01-11
tags:
  - guide
  - step-ca
  - runbook
description:
---

# Trust a certificate from a private local certificate authority

## Overview

Make your device trust your private CA for TLS encryption.

## Prerequisites

- A local CA running (in our case step-ca) and reachable at `CA_URL`, for instance `https://local-ca.homelab.internal:443`
- An end device with access to a normal shell (*eww, Powershell*).
- very basic understanding of what a PKI is and how certificate trust works.


### Initial problem

When doing 

```bash
curl $CA_URL
```

you get :  

```
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the webpage mentioned above.
```

Which is normal as your root Certificate authority uses a self-signed certificate.

## Steps

### Step 1: Setup

If not already done, install step cli on your end-device : 

```bash
brew install step
```

refer to official documentation https://smallstep.com/docs/step-ca/installation/ for additional installation details for your OS.

### Step 2 : get CA fingerprint

`CA_FINGERPRINT` is the fingerprint of your root certificate.

If you don't have any other device than Step CA with the CA configured, run 

Inside of your host/container running step CA (or any client with step ca already configured)

```bash
step certificate fingerprint <(step ca root)
```

### Step 3: Bootstrap cert

You'll need to run :

```bash
step ca bootstrap --ca-url $CA_URL --fingerprint $CA_FINGERPRINT
```


where `CA_URL` is the address of the CA with protocol

### Step 3 : Install certificate


```bash
step certificate install <(step ca root)
```


### Step 4: Verification

In most modern distributions and *UNIX* derivatives, curl (particularly when installed by default) is configured to run with the system trust store

Now after running

```bash
curl $CA_URL
```

you get 

`404 page not found`

Which is completely fine.

### You successfuly installed a certificate.

## References

- https://smallstep.com/docs/step-ca/installation/
- Related resources



---

*Created: 2026-01-11*