4.14. Using Shared System Certificates

The Shared System Certificates storage allows NSS, GnuTLS, OpenSSL, and Java to share a default source for retrieving system certificate anchors and black list information. By default, the trust store contains the Mozilla CA list, including positive and negative trust. The system allows updating of the core Mozilla CA list or choosing another certificate list.

4.14.1. Using a System-wide Trust Store

As a user I use the same trust store for all applications.

In Red Hat Enterprise Linux 7, the consolidated system-wide trust store is located in the /etc/pki/ca-trust/ and /usr/share/pki/ca-trust-source/ directories. The trust settings in /usr/share/pki/ca-trust-source/ are processed with lower priority than settings in /etc/pki/ca-trust/.
Certificate files are treated depending on the subdirectory they are installed to:
  • /usr/share/pki/ca-trust-source/anchors/ or /etc/pki/ca-trust/source/anchors/ - for trust anchors. See Section 4.5.6, “Understanding Trust Anchors”.
  • /usr/share/pki/ca-trust-source/blacklist/ or /etc/pki/ca-trust/source/blacklist/ - for distrusted certificates.
  • /usr/share/pki/ca-trust-source/ or /etc/pki/ca-trust/source/ - for certificates in the extended BEGIN TRUSTED file format.

4.14.2. Adding New Certificates

As an administrator I am able to add new certificates to the trust store in a consistent way.

To add a certificate in the simple PEM or DER file formats to the list of CAs trusted on the system, copy the certificate file to the /usr/share/pki/ca-trust-source/anchors/ or /etc/pki/ca-trust/source/anchors/ directory. To update system-wide trust store configuration, use the update-ca-trust command, for example:
# cp ~/certificate-trust-examples/Cert-trust-test-ca.pem /usr/share/pki/ca-trust-source/anchors/
# update-ca-trust

Note

While the Firefox browser is able to use an added certificate without executing update-ca-trust, it is recommended to run update-ca-trust after a CA change. Also note that browsers, such as Firefox, Epiphany, or Chromium, cache files, and you might need to clear browser's cache or restart your browser to load current system certificates configuration.

4.14.3. Managing Trusted System Certificates

As a user/administrator I can list used (dis)trusted system certificates.

To list, extract, add, remove, or change trust anchors, use the trust command. To see the built-in help for this command, enter it without any argument or with the --help directive:
$ trust
usage: trust command <args>...

Common trust commands are:
  list             List trust or certificates
  extract          Extract certificates and trust
  extract-compat   Extract trust compatibility bundles
  anchor           Add, remove, change trust anchors
  dump             Dump trust objects in internal format

See 'trust <command> --help' for more information
To list all system trust anchors and certificates, use the trust list command:
$ trust list
pkcs11:id=%d2%87%b4%e3%df%37%27%93%55%f6%56%ea%81%e5%36%cc%8c%1e%3f%bd;type=cert
    type: certificate
    label: ACCVRAIZ1
    trust: anchor
    category: authority

pkcs11:id=%a6%b3%e1%2b%2b%49%b6%d7%73%a1%aa%94%f5%01%e7%73%65%4c%ac%50;type=cert
    type: certificate
    label: ACEDICOM Root
    trust: anchor
    category: authority
...
[output has been truncated]
All sub-commands of the trust commands offer a detailed built-in help, for example:
$ trust list --help
usage: trust list --filter=<what>

  --filter=<what>     filter of what to export
                        ca-anchors        certificate anchors
                        blacklist         blacklisted certificates
                        trust-policy      anchors and blacklist (default)
                        certificates      all certificates
                        pkcs11:object=xx  a PKCS#11 URI
  --purpose=<usage>   limit to certificates usable for the purpose
                        server-auth       for authenticating servers
                        client-auth       for authenticating clients
                        email             for email protection
                        code-signing      for authenticating signed code
                        1.2.3.4.5...      an arbitrary object id
  -v, --verbose       show verbose debug output
  -q, --quiet         suppress command output
To store a trust anchor into the system-wide trust store, use the trust anchor sub-command and specify a path.to a certificate, for example:
# trust anchor path.to/certificate.crt
To remove a certificate, use either a path.to a certificate or an ID of a certificate:
# trust anchor --remove path.to/certificate.crt
# trust anchor --remove "pkcs11:id=%AA%BB%CC%DD%EE;type=cert"

4.14.4. Additional Resources

For more information, see the following man pages:
  • update-ca-trust(8)
  • trust(1)