This directory /etc/pki/ca-trust/source/ contains CA certificates and 

trust settings in the PEM file format. The trust settings found here will be

interpreted with a high priority - higher than the ones found in 

/usr/share/pki/ca-trust-source/.

=============================================================================

QUICK HELP: To add a certificate in the simple PEM or DER file formats to the

            list of CAs trusted on the system:

            Copy it to the

                    /etc/pki/ca-trust/source/anchors/

            subdirectory, and run the

                    update-ca-trust

            command.

            If your certificate is in the extended BEGIN TRUSTED file format,

            then place it into the main source/ directory instead.

=============================================================================

Description of the source directory and its subdirectories:

-----------------------------------------------------------

In order to offer simplicity and flexibility, the way certificate files

are treated depend on the subdirectory they are installed to.

  trust anchors subdirectory : /etc/pki/ca-trust/source/anchors/

  extended format directory  : /etc/pki/ca-trust/source/

  blacklist subdirectory     : /etc/pki/ca-trust/source/blacklist/

In the main directory /etc/pki/ca-trust/source/

you may install one or multiple files in the following file formats:

- certificate files that include trust flags,

  in the BEGIN/END TRUSTED CERTIFICATE file format

  (any file name), which have been created using the openssl x509 tool

  and the -addreject -addtrust options.

  Bundle files with multiple certificates are supported.

- files in the p11-kit file format using the .p11-kit file

  extension, which can (e.g.) be used to distrust certificates

  based on serial number and issuer name, without having the

  full certificate available.

  (This is currently an undocumented format, to be extended later.

   For an example of a distrusted certificate, see the files

   shipped with the ca-certificates package.)

- certificate files without trust flags in either the DER file format or in

  the PEM (BEGIN/END CERTIFICATE) file format (any file name). Such files 

  will be added with neutral trust, neither trusted nor distrusted.

  They will simply be known to the system, which might be helpful to

  assist cryptographic software in constructing chains of certificates.

  (If you want a CA certificate in these file formats to be trusted, you 

   should remove it from this directory and copy it to the 

   ./anchors subdirectory instead.)

In the anchors subdirectory: /etc/pki/ca-trust/source/anchors/

you may install one or multiple certificates in either the DER file

format or in the PEM (BEGIN/END CERTIFICATE) file format.

Each certificate will be treated as *trusted* for all purposes.

In the blacklist subdirectory: /etc/pki/ca-trust/source/blacklist/

you may install one or multiple certificates in either the DER file

format or in the PEM (BEGIN/END CERTIFICATE) file format.

Each certificate will be treated as *distrusted* for all purposes.

Please refer to the x509(1) manual page for the documentation of the

  BEGIN/END CERTIFICATE

and 

  BEGIN/END TRUSTED CERTIFICATE

file formats.

Purpose:

--------

Applications that are able to use PKCS#11 modules can load the 

p11-kit-trust.so module and will benefit from the dynamically merged

set of certificates and trust information stored in the

/usr/share/pki/ca-trust-source/ and /etc/pki/ca-trust/source/

directories.

Applications that rely on a static file for a list of trusted CAs

may load one of the files found in the /etc/pki/ca-trust/extracted

directory. After modifying any file stored in the

/usr/share/pki/ca-trust-source/ or /etc/pki/ca-trust/source/

directories, it is required to run the ca-update-trust command,

in order to update the merged files in /etc/pki/ca-trust/extracted/ .