How to list what certs are installed on a RHEL Server, from the host

Latest response

I am by no means any expert when it comes to certs on RHEL and openssl commands.

I do know that I can use the following command against another RHEL host, if I know the port number, to display what certificates are being sent:

openssl s_client -showcerts -connect xx.xx.xx.xx:8081

What I'm wondering, is if there is a way to display all of the certs currently installed on a RHEL physical server from the CLI?

I've tried the following command:

update-ca-certificates

Which didn't show any output.

thanks

Responses

Hi Christopher,

Hope this helps you https://access.redhat.com/solutions/3979121

Also, if you wish to search the rpm database for the keyword 'cert' then you would get to see some packages of interest as shown below:

[root@test ~]# rpm -qa|grep -i cert
ca-certificates-2019.2.32-76.el7_7.noarch
subscription-manager-rhsm-certificates-1.24.26-1.el7.x86_64

You may later list out all the files related to those packages using the command "rpm -qi ca-certificates". This may also help you in tracing the location where these certificated related files are stored.

Even the "find" may also help you here. Assuming that all the certificate files ends with ".crt" extension, you could run the command : $ find /etc -type f -iname *.crt

I hope this helps.

Great, thanks for the info, very helpful.

Guess use the find command to find certificates for 3rd party apps installed on top of RHEL.

Surprise still using rpm command, there isn't anything for yum/dnf.

You're welcome Christopher. Not sure what are you asking here. If you understand the rpm command it still remains as the core command for package management. In fact, the 'yum/dnf' commands would certainly use rpm command in the back-end.

Hi Christopher,

Just execute sudo dnf list installed | grep cert*. :)

ca-certificates.noarch                        2020.2.41-80.0.el8_2
libsss_certmap.x86_64                         2.2.3-20.el8
subscription-manager-rhsm-certificates.x86_64 1.26.20-1.el8_2  

Note : In case you are using RHEL 7 - replace dnf with yum.

Regards,
Christian

Hi Christopher,

You already got answers that basically confirm that there is no easy way to collect information about certificates.

Knowing that, I at least do this whenever I run audits of a specific RHEL server (healthchecks) - collect information about certificates for all ports in LISTEN state:

for port in $(lsof -nP -iTCP -sTCP:LISTEN | sed -e "s/.*://g" -e "s/ (LISTEN)//g" | sort | uniq | egrep -iv COMMAND)
do
   echo "*** Port $port ***"
   openssl s_client -showcerts -connect localhost:$port  < /dev/null 
   echo
done

Regards,

Dusan Baljevic (amateur radio VK2COT)

Hello,

I would suggest using the "trust list" sub-command.

For more information, see the Using shared system certificates section in the RHEL Security hardening document [1].

Kind regards, --Mirek

[1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-shared-system-certificates_security-hardening