Red Hat SummitChapter 3. Using shared system certificates
The shared system certificate storage enables NSS, GnuTLS, OpenSSL, and Java to share a default source for retrieving system certificate anchors and blocklist information.
3.1. The system-wide truststore
Red Hat Enterprise Linux provides a centralized system for managing TLS certificates. By default, the truststore contains the Mozilla CA list, which includes both positive and negative trust. The system enables you to update the core Mozilla CA list.
The consolidated system-wide truststore is located in the /etc/pki/ca-trust/ and /usr/share/pki/ca-trust-source/ directories. The trust settings in /usr/share/pki/ca-trust-source/ have lower priority than settings in /etc/pki/ca-trust/.
The system treats certificate files based on the subdirectory to which you install them. For example, trust anchors belong to the /usr/share/pki/ca-trust-source/anchors/ or /etc/pki/ca-trust/source/anchors/ directory.
To add a new certificate to the truststore, you can copy the file containing your certificate to the corresponding directory and use the update-ca-trust command to apply the changes. Alternatively, you can use the trust anchor sub-command.
In a hierarchical cryptographic system, a trust anchor is an authoritative entity that other parties consider trustworthy. In the X.509 architecture, a root certificate is a trust anchor from which a chain of trust is derived. To enable chain validation, the trusting party must first have access to the trust anchor.
3.2. Adding new certificates to the system-wide truststore
To acknowledge applications on your system with a new source of trust, add the corresponding certificate to the system-wide store and use the update-ca-trust command.
Prerequisites
-
The
ca-certificatespackage is present on the system.
Procedure
Add a certificate in the simple PEM or DER file formats to the list of CAs trusted on the system, copy the certificate file to the
/usr/share/pki/ca-trust-source/anchors/or/etc/pki/ca-trust/source/anchors/directory, for example:cp <~/certificate-trust-examples/Cert-trust-test-ca.pem> /usr/share/pki/ca-trust-source/anchors/
# cp <~/certificate-trust-examples/Cert-trust-test-ca.pem> /usr/share/pki/ca-trust-source/anchors/Copy to Clipboard Copied! Toggle word wrap Toggle overflow Update the system-wide truststore configuration, use the
update-ca-trustcommand:update-ca-trust extract
# update-ca-trust extractCopy to Clipboard Copied! Toggle word wrap Toggle overflow
Even though the Firefox browser can use an added certificate without a prior execution of update-ca-trust, enter the update-ca-trust command after every CA change. Also note that browsers, such as Firefox and Chromium, cache files, and you might have to clear your browser’s cache or restart your browser to load the current system certificate configuration.
3.3. Trusted system certificates management with the trust command
You can add or remove certificates from system-wide truststore by using either basic file operations with the corresponding files and by using the update-ca-trust command as described in the Adding new certificates to the system-wide truststore section or the trust command.
The trust command provides a way for managing certificates in the shared system-wide truststore. You can use its sub-commands to list, extract, add, remove, or change trust anchors.
To see the built-in help for the
trustcommand, enter it without any arguments or with the--helpdirective. Also, all sub-commands of thetrustcommands provide a detailed built-in help, for example:trust list --help
$ trust list --help usage: trust list --filter=<what> …Copy to Clipboard Copied! Toggle word wrap Toggle overflow To list all system trust anchors and certificates, use the
trust listcommand, for example:trust list
$ trust list … pkcs11:id=%DD%04%09%07%A2%F5%7A%7D%52%53%12%92%95%EE%38%80%25%0D%A6%59;type=cert type: certificate label: SSL.com Root Certification Authority RSA trust: anchor category: authority …Copy to Clipboard Copied! Toggle word wrap Toggle overflow To store a trust anchor into the system-wide truststore, use the
trust anchorsub-command and specify a path to a certificate. Replace <path.to/certificate.crt> by a path to your certificate and its file name:trust anchor <path.to/certificate.crt>
# trust anchor <path.to/certificate.crt>Copy to Clipboard Copied! Toggle word wrap Toggle overflow To remove a certificate, use either a path to a certificate or the ID of a certificate:
trust anchor --remove <path.to/certificate.crt> trust anchor --remove "pkcs11:id=<%AA%BB%CC%DD%EE>;type=cert"
# trust anchor --remove <path.to/certificate.crt> # trust anchor --remove "pkcs11:id=<%AA%BB%CC%DD%EE>;type=cert"Copy to Clipboard Copied! Toggle word wrap Toggle overflow
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}