How to reset the list of trusted CA certificates in RHEL 6 and later?

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux 6
  • Red Hat Enterprise Linux 7
  • Red Hat Enterprise Linux 8
  • Red Hat Enterprise Linux 9

Issue

  • How can I reset the system-wide list of trusted CA certs on a RHEL 6 and later?

Resolution

It's simple for a process with root access to add new Certificate Authority (CA) certs to the system-wide database of trusted CAs. Many applications--both 3rd-party and shipped in RHEL--read CA certs from this database. (To name a few: lftp, curl, wget, openssl, firefox.)

Follow these steps to ensure the database contains only the default CAs.

  1. Create a backup directory to store any found certs for later inspection

    ~]# mkdir -p /root/cert.bak
mkdir: created directory ‘/root/cert.bak’

  2. Reset and update the ca-certificates package
    This will revert away any direct customizations (e.g., to ca-bundle.crt) and update or reinstall the package

    ~]# rpm -Vv ca-certificates | awk '$1!="........." && $2!="d" {system("mv -v " $NF " /root/cert.bak")}'
`/etc/pki/java/cacerts' -> `/root/cert.bak/cacerts'
`/etc/pki/tls/certs/ca-bundle.crt' -> `/root/cert.bak/ca-bundle.crt'
`/etc/pki/tls/certs/ca-bundle.trust.crt' -> `/root/cert.bak/ca-bundle.trust.crt'
~]# yum check-update ca-certificates; (($?==100)) && yum update ca-certificates || yum reinstall ca-certificates

  3. Ensure the /etc/pki/ca-trust/source/ and /etc/pki/ca-trust/source/anchors/ directories together contain only the following 2 files
    Move any other files to the backup directory

    ~]# find /etc/pki/ca-trust/source{,/anchors} -maxdepth 1 -not -type d -exec ls -1 {} +
/etc/pki/ca-trust/source/ca-bundle.legacy.crt
/etc/pki/ca-trust/source/README

  4. Ensure the /usr/share/pki/ca-trust-source/ and /usr/share/pki/ca-trust-source/anchors/ directories together contain no more than the following 4 files (though RHEL 7.4+ will contain only 2 of them)
    Move any other files to the backup directory

    ~]# find /usr/share/pki/ca-trust-source{,/anchors} -maxdepth 1 -not -type d -exec ls -1 {} +
/usr/share/pki/ca-trust-source/ca-bundle.neutral-trust.crt
/usr/share/pki/ca-trust-source/ca-bundle.supplement.p11-kit
/usr/share/pki/ca-trust-source/ca-bundle.trust.crt
/usr/share/pki/ca-trust-source/README

  5. Rebuild the CA-trust database with update-ca-trust

    • Execute:   update-ca-trust extract

    • RHEL 6: the following warning will very likely be seen

      update-ca-trust: Warning: The dynamic CA configuration feature is in the disabled state

      This is normal (default), expected, and not a problem
      Optionally read more about this in the update-ca-trust man page

  6. Note that some applications (like Firefox), keep their own local cert database

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

5 Comments

Log in to comment
JM Newbie 7 points
17 May 2016 8:33 PM

This didn't update the CA store for me, on rhel6, until I did a update-ca-trust enable. If you get the message on rhel6 "update-ca-trust: Warning: The dynamic CA configuration feature is in the disabled state" that means you need to enable it, not ignore it, because that's not normal, like the article above says.

Ryan Sawhill's picture Red Hat Guru 3878 points
18 May 2016 4:10 PM

Hi Jonathan. My rationale for giving that advice in the article was this: if the feature is disabled (as it is by default), then likely no one has ever used that feature to add custom certs, thus, you don't need to make any changes and you don't need to enable it.

Keep in mind that this article as about resetting the trusted CA cert list to defaults; not adding new ones. If you're adding your own custom CA certs to /etc/pki/ca-trust/source/anchors/ then yes of course you would need to execute update-ca-trust enable.

KM Active Contributor 227 points
23 October 2017 2:53 PM

Thanks for your help.

OS Newbie 5 points
24 August 2020 11:30 AM

First have to update ca-certificates with the latest patch and then have to enable it. if you still getting same error then it probably required to update 32 bit p11-kit-trust wit this command "yum install p11-kit-trust-*.i686" and after this enable (update-ca-trust enable) it and extract the same (update-ca-trust extract).

CS Pro 713 points
6 April 2021 2:02 PM

On RHEL 6 (extended support), besides the noted warning, I also have this output. Why?

$ update-ca-trust extract
update-ca-trust: Warning: The dynamic CA configuration feature is in the disabled state
p11-kit: duplicate 'USERTrust RSA Certification Authority' certificate found in: ca-bundle.legacy.crt
p11-kit: duplicate 'USERTrust RSA Certification Authority' certificate found in: ca-bundle.legacy.crt
p11-kit: duplicate 'USERTrust RSA Certification Authority' certificate found in: ca-bundle.legacy.crt
p11-kit: duplicate 'USERTrust RSA Certification Authority' certificate found in: ca-bundle.legacy.crt
p11-kit: duplicate 'USERTrust RSA Certification Authority' certificate found in: ca-bundle.legacy.crt