Red Hat SummitCe contenu n'est pas disponible dans la langue sélectionnée.
Chapter 3. Using shared system certificates
Learn to use the centralized system truststore in RHEL for managing TLS certificates. Using a shared trust location simplifies certificate management and verification across the system.
3.1. The system-wide truststore
RHEL contains a centralized system for managing TLS certificates. This shared certificate storage serves as a unified source that NSS, GnuTLS, OpenSSL, and Java use to retrieve system certificate anchors and blocklist information.
By default, the truststore contains the Mozilla CA list, which includes both positive and negative trust. You can update the core Mozilla CA list by using the centralized system.
The consolidated system-wide truststore is located in the /etc/pki/ca-trust/ and /usr/share/pki/ca-trust-source/ directories. The trust settings in /usr/share/pki/ca-trust-source/ have lower priority than settings in /etc/pki/ca-trust/.
The system treats certificate files based on the subdirectory to which you install them:
Trust anchors belong to
-
/usr/share/pki/ca-trust-source/anchors/or -
/etc/pki/ca-trust/source/anchors/.
-
Distrusted certificates are stored in
-
/usr/share/pki/ca-trust-source/blocklist/or -
/etc/pki/ca-trust/source/blocklist/.
-
Certificates in the extended BEGIN TRUSTED file (OpenSSL trust certificate) format are located in
-
/usr/share/pki/ca-trust-source/or -
/etc/pki/ca-trust/source/.
-
To add a new certificate to the truststore, copy the file containing your certificate to the corresponding directory and use the update-ca-trust command to apply the changes. Alternatively, use the trust anchor subcommand.
See the update-ca-trust(8) and trust(1) man pages on your system for more information.
In a hierarchical cryptographic system, a trust anchor is an authoritative entity that other parties consider trustworthy. In the X.509 architecture, a root certificate is a trust anchor from which a chain of trust is derived. To enable chain validation, the trusting party must first have access to the trust anchor.
3.2. Adding new certificates to the system-wide truststore
You can add new certificates to the system-wide truststore so that all cryptographic applications running on the system recognize them as trusted.
To acknowledge applications on your system with a new source of trust, add the corresponding certificate to the system-wide store and use the update-ca-trust command.
Even though the Mozilla Firefox browser can use an added certificate without a prior execution of update-ca-trust, enter the update-ca-trust command after every CA change. Also note that browsers, such as Mozilla Firefox and Chromium, cache files, and you might have to clear your browser’s cache or restart your browser to load the current system certificate configuration.
Prerequisites
-
The
ca-certificatespackage is present on the system.
Procedure
Add a certificate in the simple PEM or DER file formats to the list of CAs trusted on the system, copy the certificate file to the
/usr/share/pki/ca-trust-source/anchors/or/etc/pki/ca-trust/source/anchors/directory, for example:cp <~/certificate-trust-examples/Cert-trust-test-ca.pem> /usr/share/pki/ca-trust-source/anchors/
# cp <~/certificate-trust-examples/Cert-trust-test-ca.pem> /usr/share/pki/ca-trust-source/anchors/Copy to Clipboard Copied! Toggle word wrap Toggle overflow Update the system-wide truststore configuration, use the
update-ca-trustcommand:update-ca-trust extract
# update-ca-trust extractCopy to Clipboard Copied! Toggle word wrap Toggle overflow
3.3. Trusted system certificates management with the trust command
You can manage certificates within the shared system-wide truststore by using the trust command.
You can add or remove certificates from the system-wide truststore by using either basic file operations with the corresponding files and by using the update-ca-trust command as described in the Adding new certificates to the system-wide truststore section or the trust command.
The trust command provides a way for managing certificates in the shared system-wide truststore. You can use its subcommands to list, extract, add, remove, or change trust anchors.
To see the built-in help for the
trustcommand, enter it without any arguments or with the--helpdirective. Also, all subcommands of thetrustcommands provide a detailed built-in help, for example:trust list --help
$ trust list --help usage: trust list --filter=<what> …Copy to Clipboard Copied! Toggle word wrap Toggle overflow To list all system trust anchors and certificates, use the
trust listcommand, for example:trust list
$ trust list … pkcs11:id=%DD%04%09%07%A2%F5%7A%7D%52%53%12%92%95%EE%38%80%25%0D%A6%59;type=cert type: certificate label: SSL.com Root Certification Authority RSA trust: anchor category: authority …Copy to Clipboard Copied! Toggle word wrap Toggle overflow To store a trust anchor into the system-wide truststore, use the
trust anchorsubcommand and specify a path to a certificate. Replace <path.to/certificate.crt> by a path to your certificate and its file name:trust anchor <path.to/certificate.crt>
# trust anchor <path.to/certificate.crt>Copy to Clipboard Copied! Toggle word wrap Toggle overflow To remove a certificate, use either a path to a certificate or the ID of a certificate:
trust anchor --remove <path.to/certificate.crt> trust anchor --remove "pkcs11:id=<%AA%BB%CC%DD%EE>;type=cert"
# trust anchor --remove <path.to/certificate.crt> # trust anchor --remove "pkcs11:id=<%AA%BB%CC%DD%EE>;type=cert"Copy to Clipboard Copied! Toggle word wrap Toggle overflow
See the trust(1) man page on your system for more information.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}