Diving further into the Gitlab world, I’ve found myself setting up a runner for gitlab, and it is required to add the RootCA certificate that gitlab instance is using in order for the runner register with server.

Here is how I’ve done it:

First create a custom folder for tidyness to the following location, I’ve given it an arbitrary name to match domain myCA.domain.local:

sudo mkdir /usr/local/share/ca-certificates/myCA.domain.local

Note: Debian support certs in x509 form like .crt, if yours is in a .pem format I will leave a guide below to convert it to .crt.

Now we’ll copy the file to the previously created directory:

sudo cp rootCA.crt /usr/local/share/ca-certificates/myCA.domain.local

All that is left to do is to update and load the new certificate into the the server’s Trusted Root Certificate Store:

sudo update-ca-certificates

If the shell returns similar output to this we are good to go:

Updating certificates in /etc/ssl/certs...
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.

If you want to start off with a fresh Trusted Certificate Store we can simply run:

sudo update-ca-certificates --fresh

Finally before we wrap this one up. To convert a certififcate that is in .pem format, we can use openssl to do so:

openssl x509 -inform PEM -in <absolutepath>/certificate.cert -out certificate.crt