|
Kai Engert |
d538ada |
This directory /etc/pki/ca-trust/source/ contains CA certificates and
|
|
Kai Engert |
d538ada |
trust settings in the PEM file format. The trust settings found here will be
|
|
Kai Engert |
34f352d |
interpreted with a high priority - higher than the ones found in
|
|
Kai Engert |
d538ada |
/usr/share/pki/ca-trust-source/.
|
|
Kai Engert |
d538ada |
|
|
Kai Engert |
34f352d |
=============================================================================
|
|
Kai Engert |
34f352d |
QUICK HELP: To add a certificate in the simple PEM or DER file formats to the
|
|
Kai Engert |
34f352d |
list of CAs trusted on the system:
|
|
Kai Engert |
d538ada |
|
|
Kai Engert |
34f352d |
Copy it to the
|
|
Kai Engert |
34f352d |
/etc/pki/ca-trust/source/anchors/
|
|
Kai Engert |
34f352d |
subdirectory, and run the
|
|
Kai Engert |
34f352d |
update-ca-trust
|
|
Kai Engert |
34f352d |
command.
|
|
Kai Engert |
d538ada |
|
|
Kai Engert |
34f352d |
If your certificate is in the extended BEGIN TRUSTED file format,
|
|
Kai Engert |
34f352d |
then place it into the main source/ directory instead.
|
|
Kai Engert |
34f352d |
=============================================================================
|
|
Kai Engert |
34f352d |
|
|
Kai Engert |
34f352d |
Description of the source directory and its subdirectories:
|
|
Kai Engert |
34f352d |
-----------------------------------------------------------
|
|
Kai Engert |
34f352d |
In order to offer simplicity and flexibility, the way certificate files
|
|
Kai Engert |
34f352d |
are treated depend on the subdirectory they are installed to.
|
|
Kai Engert |
34f352d |
|
|
Kai Engert |
34f352d |
trust anchors subdirectory : /etc/pki/ca-trust/source/anchors/
|
|
Kai Engert |
34f352d |
extended format directory : /etc/pki/ca-trust/source/
|
|
Kai Engert |
34f352d |
blacklist subdirectory : /etc/pki/ca-trust/source/blacklist/
|
|
Kai Engert |
34f352d |
|
|
Kai Engert |
34f352d |
In the main directory /etc/pki/ca-trust/source/
|
|
Kai Engert |
34f352d |
you may install one or multiple files in the following file formats:
|
|
Kai Engert |
34f352d |
- certificate files that include trust flags,
|
|
Kai Engert |
34f352d |
in the BEGIN/END TRUSTED CERTIFICATE file format
|
|
Kai Engert |
34f352d |
(any file name), which have been created using the openssl x509 tool
|
|
Kai Engert |
34f352d |
and the -addreject -addtrust options.
|
|
Kai Engert |
34f352d |
Bundle files with multiple certificates are supported.
|
|
Kai Engert |
34f352d |
- files in the p11-kit file format using the .p11-kit file
|
|
Kai Engert |
34f352d |
extension, which can (e.g.) be used to distrust certificates
|
|
Kai Engert |
34f352d |
based on serial number and issuer name, without having the
|
|
Kai Engert |
34f352d |
full certificate available.
|
|
Kai Engert |
34f352d |
(This is currently an undocumented format, to be extended later.
|
|
Kai Engert |
34f352d |
For an example of a distrusted certificate, see the files
|
|
Kai Engert |
34f352d |
shipped with the ca-certificates package.)
|
|
Kai Engert |
34f352d |
- certificate files without trust flags in either the DER file format or in
|
|
Kai Engert |
34f352d |
the PEM (BEGIN/END CERTIFICATE) file format (any file name). Such files
|
|
Kai Engert |
34f352d |
will be added with neutral trust, neither trusted nor distrusted.
|
|
Kai Engert |
34f352d |
They will simply be known to the system, which might be helpful to
|
|
Kai Engert |
34f352d |
assist cryptographic software in constructing chains of certificates.
|
|
Kai Engert |
34f352d |
(If you want a CA certificate in these file formats to be trusted, you
|
|
Kai Engert |
34f352d |
should remove it from this directory and copy it to the
|
|
Kai Engert |
34f352d |
./anchors subdirectory instead.)
|
|
Kai Engert |
34f352d |
|
|
Kai Engert |
34f352d |
In the anchors subdirectory: /etc/pki/ca-trust/source/anchors/
|
|
Kai Engert |
34f352d |
you may install one or multiple certificates in either the DER file
|
|
Kai Engert |
34f352d |
format or in the PEM (BEGIN/END CERTIFICATE) file format.
|
|
Kai Engert |
34f352d |
Each certificate will be treated as *trusted* for all purposes.
|
|
Kai Engert |
34f352d |
|
|
Kai Engert |
34f352d |
In the blacklist subdirectory: /etc/pki/ca-trust/source/blacklist/
|
|
Kai Engert |
34f352d |
you may install one or multiple certificates in either the DER file
|
|
Kai Engert |
34f352d |
format or in the PEM (BEGIN/END CERTIFICATE) file format.
|
|
Kai Engert |
34f352d |
Each certificate will be treated as *distrusted* for all purposes.
|
|
Kai Engert |
34f352d |
|
|
Kai Engert |
34f352d |
Please refer to the x509(1) manual page for the documentation of the
|
|
Kai Engert |
34f352d |
BEGIN/END CERTIFICATE
|
|
Kai Engert |
34f352d |
and
|
|
Kai Engert |
34f352d |
BEGIN/END TRUSTED CERTIFICATE
|
|
Kai Engert |
34f352d |
file formats.
|
|
Kai Engert |
34f352d |
|
|
Kai Engert |
34f352d |
|
|
Kai Engert |
34f352d |
Purpose:
|
|
Kai Engert |
34f352d |
--------
|
|
Kai Engert |
34f352d |
Applications that are able to use PKCS#11 modules can load the
|
|
Kai Engert |
34f352d |
p11-kit-trust.so module and will benefit from the dynamically merged
|
|
Kai Engert |
34f352d |
set of certificates and trust information stored in the
|
|
Kai Engert |
d538ada |
/usr/share/pki/ca-trust-source/ and /etc/pki/ca-trust/source/
|
|
Kai Engert |
34f352d |
directories.
|
|
Kai Engert |
d538ada |
|
|
Kai Engert |
d538ada |
Applications that rely on a static file for a list of trusted CAs
|
|
Kai Engert |
d538ada |
may load one of the files found in the /etc/pki/ca-trust/extracted
|
|
Kai Engert |
34f352d |
directory. After modifying any file stored in the
|
|
Kai Engert |
d538ada |
/usr/share/pki/ca-trust-source/ or /etc/pki/ca-trust/source/
|
|
Kai Engert |
34f352d |
directories, it is required to run the ca-update-trust command,
|
|
Kai Engert |
d538ada |
in order to update the merged files in /etc/pki/ca-trust/extracted/ .
|