4.14. Using Shared System Certificates
The Shared System Certificates storage allows NSS, GnuTLS, OpenSSL, and Java to share a default source for retrieving system certificate anchors and black list information. By default, the trust store contains the Mozilla CA list, including positive and negative trust. The system allows updating of the core Mozilla CA list or choosing another certificate list.
4.14.1. Using a System-wide Trust Store
In Red Hat Enterprise Linux 7, the consolidated system-wide trust store is located in the
/etc/pki/ca-trust/
and /usr/share/pki/ca-trust-source/
directories. The trust settings in /usr/share/pki/ca-trust-source/
are processed with lower priority than settings in /etc/pki/ca-trust/
.
Certificate files are treated depending on the subdirectory they are installed to:
/usr/share/pki/ca-trust-source/anchors/
or/etc/pki/ca-trust/source/anchors/
- for trust anchors. See Section 4.5.6, “Understanding Trust Anchors”./usr/share/pki/ca-trust-source/blacklist/
or/etc/pki/ca-trust/source/blacklist/
- for distrusted certificates./usr/share/pki/ca-trust-source/
or/etc/pki/ca-trust/source/
- for certificates in the extended BEGIN TRUSTED file format.
4.14.2. Adding New Certificates
To add a certificate in the simple PEM or DER file formats to the list of CAs trusted on the system, copy the certificate file to the
/usr/share/pki/ca-trust-source/anchors/
or /etc/pki/ca-trust/source/anchors/
directory. To update the system-wide trust store configuration, use the update-ca-trust
command, for example:
#cp
~/certificate-trust-examples/Cert-trust-test-ca.pem /usr/share/pki/ca-trust-source/anchors/ #update-ca-trust
Note
While the Firefox browser is able to use an added certificate without executing
update-ca-trust
, it is recommended to run update-ca-trust
after a CA change. Also note that browsers, such as Firefox, Epiphany, or Chromium, cache files, and you might need to clear the browser's cache or restart your browser to load the current system certificates configuration.
4.14.3. Managing Trusted System Certificates
To list, extract, add, remove, or change trust anchors, use the
trust
command. To see the built-in help for this command, enter it without any arguments or with the --help
directive:
$ trust
usage: trust command <args>...
Common trust commands are:
list List trust or certificates
extract Extract certificates and trust
extract-compat Extract trust compatibility bundles
anchor Add, remove, change trust anchors
dump Dump trust objects in internal format
See 'trust <command> --help' for more information
To list all system trust anchors and certificates, use the
trust list
command:
$ trust list
pkcs11:id=%d2%87%b4%e3%df%37%27%93%55%f6%56%ea%81%e5%36%cc%8c%1e%3f%bd;type=cert
type: certificate
label: ACCVRAIZ1
trust: anchor
category: authority
pkcs11:id=%a6%b3%e1%2b%2b%49%b6%d7%73%a1%aa%94%f5%01%e7%73%65%4c%ac%50;type=cert
type: certificate
label: ACEDICOM Root
trust: anchor
category: authority
...
[output has been truncated]
All sub-commands of the
trust
commands offer a detailed built-in help, for example:
$ trust list --help
usage: trust list --filter=<what>
--filter=<what> filter of what to export
ca-anchors certificate anchors
blacklist blacklisted certificates
trust-policy anchors and blacklist (default)
certificates all certificates
pkcs11:object=xx a PKCS#11 URI
--purpose=<usage> limit to certificates usable for the purpose
server-auth for authenticating servers
client-auth for authenticating clients
email for email protection
code-signing for authenticating signed code
1.2.3.4.5... an arbitrary object id
-v, --verbose show verbose debug output
-q, --quiet suppress command output
To store a trust anchor into the system-wide trust store, use the
trust anchor
sub-command and specify a path.to a certificate, for example:
# trust anchor
path.to/certificate.crt
To remove a certificate, use either a path.to a certificate or an ID of a certificate:
#trust anchor --remove
path.to/certificate.crt #trust anchor --remove
"pkcs11:id=%AA%BB%CC%DD%EE;type=cert"
4.14.4. Additional Resources
For more information, see the following man pages:
update-ca-trust(8)
trust(1)