Show Table of Contents
4.14. Using Shared System Certificates
The Shared System Certificates storage allows NSS, GnuTLS, OpenSSL, and Java to share a default source for retrieving system certificate anchors and black list information. By default, the trust store contains the Mozilla CA list, including positive and negative trust. The system allows updating of the core Mozilla CA list or choosing another certificate list.
4.14.1. Using a System-wide Trust Store
As a user I use the same trust store for all applications.
In Red Hat Enterprise Linux 7, the consolidated system-wide trust store is located in the
/usr/share/pki/ca-trust-source/directories. The trust settings in
/usr/share/pki/ca-trust-source/are processed with lower priority than settings in
Certificate files are treated depending on the subdirectory they are installed to:
/etc/pki/ca-trust/source/anchors/- for trust anchors. See Section 4.5.6, “Understanding Trust Anchors”.
/etc/pki/ca-trust/source/blacklist/- for distrusted certificates.
/etc/pki/ca-trust/source/- for certificates in the extended BEGIN TRUSTED file format.
4.14.2. Adding New Certificates
As an administrator I am able to add new certificates to the trust store in a consistent way.
To add a certificate in the simple PEM or DER file formats to the list of CAs trusted on the system, copy the certificate file to the
/etc/pki/ca-trust/source/anchors/directory. To update system-wide trust store configuration, use the
update-ca-trustcommand, for example:
cp~/certificate-trust-examples/Cert-trust-test-ca.pem /usr/share/pki/ca-trust-source/anchors/ #
While the Firefox browser is able to use an added certificate without executing
update-ca-trust, it is recommended to run
update-ca-trustafter a CA change. Also note that browsers, such as Firefox, Epiphany, or Chromium, cache files, and you might need to clear browser's cache or restart your browser to load current system certificates configuration.
4.14.3. Managing Trusted System Certificates
As a user/administrator I can list used (dis)trusted system certificates.
To list, extract, add, remove, or change trust anchors, use the
trustcommand. To see the built-in help for this command, enter it without any argument or with the
trustusage: trust command <args>... Common trust commands are: list List trust or certificates extract Extract certificates and trust extract-compat Extract trust compatibility bundles anchor Add, remove, change trust anchors dump Dump trust objects in internal format See 'trust <command> --help' for more information
To list all system trust anchors and certificates, use the
trust listpkcs11:id=%d2%87%b4%e3%df%37%27%93%55%f6%56%ea%81%e5%36%cc%8c%1e%3f%bd;type=cert type: certificate label: ACCVRAIZ1 trust: anchor category: authority pkcs11:id=%a6%b3%e1%2b%2b%49%b6%d7%73%a1%aa%94%f5%01%e7%73%65%4c%ac%50;type=cert type: certificate label: ACEDICOM Root trust: anchor category: authority ... [output has been truncated]
All sub-commands of the
trustcommands offer a detailed built-in help, for example:
trust list --helpusage: trust list --filter=<what> --filter=<what> filter of what to export ca-anchors certificate anchors blacklist blacklisted certificates trust-policy anchors and blacklist (default) certificates all certificates pkcs11:object=xx a PKCS#11 URI --purpose=<usage> limit to certificates usable for the purpose server-auth for authenticating servers client-auth for authenticating clients email for email protection code-signing for authenticating signed code 188.8.131.52.5... an arbitrary object id -v, --verbose show verbose debug output -q, --quiet suppress command output
To store a trust anchor into the system-wide trust store, use the
trust anchorsub-command and specify a path.to a certificate, for example:
To remove a certificate, use either a path.to a certificate or an ID of a certificate:
trust anchor --removepath.to/certificate.crt #
trust anchor --remove"pkcs11:id=%AA%BB%CC%DD%EE;type=cert"
4.14.4. Additional Resources
For more information, see the following man pages: