Red Hat SummitChapter 3. Using shared system certificates
Use the centralized system truststore in RHEL for managing TLS certificates. Using a shared trust location simplifies certificate management and verification across the system.
3.1. The system-wide truststore
RHEL contains a centralized system for managing TLS certificates. NSS, GnuTLS, OpenSSL, and Java use this shared certificate storage to retrieve system certificate anchors and denylist information.
By default, the truststore contains the Mozilla CA list, which includes both positive and negative trust. You can update the core Mozilla CA list by using the centralized system.
The system-wide truststore is located in the /etc/pki/ca-trust/ and /usr/share/pki/ca-trust-source/ directories. The trust settings in /usr/share/pki/ca-trust-source/ have lower priority than settings in /etc/pki/ca-trust/.
The system treats certificate files based on the subdirectory to which you install them:
Trust anchors belong to
-
/usr/share/pki/ca-trust-source/anchors/or -
/etc/pki/ca-trust/source/anchors/.
-
Distrusted certificates are stored in
-
/usr/share/pki/ca-trust-source/blocklist/or -
/etc/pki/ca-trust/source/blocklist/.
-
Certificates in the extended BEGIN TRUSTED file (OpenSSL trust certificate) format are located in
-
/usr/share/pki/ca-trust-source/or -
/etc/pki/ca-trust/source/.
-
To add a new certificate to the truststore:
-
For trusted certificates, copy the certificate to
/etc/pki/ca-trust/source/anchors/. -
For distrusted certificates, copy the certificate to
/etc/pki/ca-trust/source/blocklist/. -
Enter the
update-ca-trustcommand, or use thetrust anchorsubcommand.
See the update-ca-trust(8) and trust(1) man pages on your system for more information.
In a hierarchical cryptographic system, a trust anchor is an authoritative entity that other parties consider trustworthy. In the X.509 architecture, a root certificate is a trust anchor from which a chain of trust is derived. To enable chain validation, the trusting party must have access to the trust anchor.
3.2. Adding new certificates to the system-wide truststore
You can add new certificates to the system-wide truststore. All cryptographic applications running on the system recognize them as trusted.
Even though the Mozilla Firefox browser can use an added certificate without executing update-ca-trust, enter the update-ca-trust command after every CA change.
Browsers, such as Mozilla Firefox and Chromium, cache files. You might have to clear your browser’s cache or restart your browser to load the current system certificate configuration.
Prerequisites
-
The
ca-certificatespackage is present on the system.
Procedure
Copy your certificate file in the PEM or DER format to
/usr/share/pki/ca-trust-source/anchors/or/etc/pki/ca-trust/source/anchors/:# cp <~/certificate-trust-examples/Cert-trust-test-ca.pem> /usr/share/pki/ca-trust-source/anchors/Update the system-wide truststore configuration:
# update-ca-trust extract
3.3. Trusted system certificates management with the trust command
You can manage certificates within the shared system-wide truststore by using the trust command.
You can add or remove certificates from the system-wide truststore by using:
-
Basic file operations with the corresponding files and the
update-ca-trustcommand. See the Adding new certificates to the system-wide truststore section for details. -
The
trustcommand.
The trust command manages certificates in the shared system-wide truststore. You can use its subcommands to list, extract, add, remove, or change trust anchors.
To see the built-in help for the
trustcommand, enter it without any arguments or with the--helpdirective. Also, all subcommands of thetrustcommands provide a detailed built-in help, for example:$ trust list --help usage: trust list --filter=<what> …To list all system trust anchors and certificates, use the
trust listcommand, for example:$ trust list … pkcs11:id=%DD%04%09%07%A2%F5%7A%7D%52%53%12%92%95%EE%38%80%25%0D%A6%59;type=cert type: certificate label: SSL.com Root Certification Authority RSA trust: anchor category: authority …To store a trust anchor into the system-wide truststore, use the
trust anchorsubcommand. Specify a path to a certificate. Replace <path.to/certificate.crt> with the path to your certificate:# trust anchor <path.to/certificate.crt>To remove a certificate, use either a path to a certificate or the ID of a certificate:
# trust anchor --remove <path.to/certificate.crt> # trust anchor --remove "pkcs11:id=<%AA%BB%CC%DD%EE>;type=cert"
See the trust(1) man page on your system for more information.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}