This directory /etc/pki/ca-trust/source/ contains CA certificates and
trust settings in the PEM file format. The trust settings found here will be
interpreted with a high priority - higher than the ones found in
/usr/share/pki/ca-trust-source/.
=============================================================================
QUICK HELP: To add a certificate in the simple PEM or DER file formats to the
list of CAs trusted on the system:
Copy it to the
/etc/pki/ca-trust/source/anchors/
subdirectory, and run the
update-ca-trust
command.
If your certificate is in the extended BEGIN TRUSTED file format,
then place it into the main source/ directory instead.
=============================================================================
Description of the source directory and its subdirectories:
-----------------------------------------------------------
In order to offer simplicity and flexibility, the way certificate files
are treated depend on the subdirectory they are installed to.
trust anchors subdirectory : /etc/pki/ca-trust/source/anchors/
extended format directory : /etc/pki/ca-trust/source/
blacklist subdirectory : /etc/pki/ca-trust/source/blacklist/
In the main directory /etc/pki/ca-trust/source/
you may install one or multiple files in the following file formats:
- certificate files that include trust flags,
in the BEGIN/END TRUSTED CERTIFICATE file format
(any file name), which have been created using the openssl x509 tool
and the -addreject -addtrust options.
Bundle files with multiple certificates are supported.
- files in the p11-kit file format using the .p11-kit file
extension, which can (e.g.) be used to distrust certificates
based on serial number and issuer name, without having the
full certificate available.
(This is currently an undocumented format, to be extended later.
For an example of a distrusted certificate, see the files
shipped with the ca-certificates package.)
- certificate files without trust flags in either the DER file format or in
the PEM (BEGIN/END CERTIFICATE) file format (any file name). Such files
will be added with neutral trust, neither trusted nor distrusted.
They will simply be known to the system, which might be helpful to
assist cryptographic software in constructing chains of certificates.
(If you want a CA certificate in these file formats to be trusted, you
should remove it from this directory and copy it to the
./anchors subdirectory instead.)
In the anchors subdirectory: /etc/pki/ca-trust/source/anchors/
you may install one or multiple certificates in either the DER file
format or in the PEM (BEGIN/END CERTIFICATE) file format.
Each certificate will be treated as *trusted* for all purposes.
In the blacklist subdirectory: /etc/pki/ca-trust/source/blacklist/
you may install one or multiple certificates in either the DER file
format or in the PEM (BEGIN/END CERTIFICATE) file format.
Each certificate will be treated as *distrusted* for all purposes.
Please refer to the x509(1) manual page for the documentation of the
BEGIN/END CERTIFICATE
and
BEGIN/END TRUSTED CERTIFICATE
file formats.
Purpose:
--------
Applications that are able to use PKCS#11 modules can load the
p11-kit-trust.so module and will benefit from the dynamically merged
set of certificates and trust information stored in the
/usr/share/pki/ca-trust-source/ and /etc/pki/ca-trust/source/
directories.
Applications that rely on a static file for a list of trusted CAs
may load one of the files found in the /etc/pki/ca-trust/extracted
directory. After modifying any file stored in the
/usr/share/pki/ca-trust-source/ or /etc/pki/ca-trust/source/
directories, it is required to run the ca-update-trust command,
in order to update the merged files in /etc/pki/ca-trust/extracted/ .