4.14. Using Shared System Certificates | Red Hat Product Documentation (2024)

In RedHat EnterpriseLinux7, the consolidated system-wide trust store is located in the /etc/pki/ca-trust/ and /usr/share/pki/ca-trust-source/ directories. The trust settings in /usr/share/pki/ca-trust-source/ are processed with lower priority than settings in /etc/pki/ca-trust/.

Certificate files are treated depending on the subdirectory they are installed to:

To add a certificate in the simple PEM or DER file formats to the list of CAs trusted on the system, copy the certificate file to the /usr/share/pki/ca-trust-source/anchors/ or /etc/pki/ca-trust/source/anchors/ directory. To update the system-wide trust store configuration, use the update-ca-trust command, for example:

# cp ~/certificate-trust-examples/Cert-trust-test-ca.pem /usr/share/pki/ca-trust-source/anchors/# update-ca-trust

To list, extract, add, remove, or change trust anchors, use the trust command. To see the built-in help for this command, enter it without any arguments or with the --help directive:

$ trustusage: trust command <args>...Common trust commands are: list List trust or certificates extract Extract certificates and trust extract-compat Extract trust compatibility bundles anchor Add, remove, change trust anchors dump Dump trust objects in internal formatSee 'trust <command> --help' for more information

To list all system trust anchors and certificates, use the trust list command:

$ trust listpkcs11:id=%d2%87%b4%e3%df%37%27%93%55%f6%56%ea%81%e5%36%cc%8c%1e%3f%bd;type=cert type: certificate label: ACCVRAIZ1 trust: anchor category: authoritypkcs11:id=%a6%b3%e1%2b%2b%49%b6%d7%73%a1%aa%94%f5%01%e7%73%65%4c%ac%50;type=cert type: certificate label: ACEDICOM Root trust: anchor category: authority...[output has been truncated]

All sub-commands of the trust commands offer a detailed built-in help, for example:

$ trust list --helpusage: trust list --filter=<what> --filter=<what> filter of what to export ca-anchors certificate anchors blacklist blacklisted certificates trust-policy anchors and blacklist (default) certificates all certificates pkcs11:object=xx a PKCS#11 URI --purpose=<usage> limit to certificates usable for the purpose server-auth for authenticating servers client-auth for authenticating clients email for email protection code-signing for authenticating signed code 1.2.3.4.5... an arbitrary object id -v, --verbose show verbose debug output -q, --quiet suppress command output

To store a trust anchor into the system-wide trust store, use the trust anchor sub-command and specify a path.to a certificate, for example:

# trust anchor path.to/certificate.crt

To remove a certificate, use either a path.to a certificate or an ID of a certificate:

# trust anchor --remove path.to/certificate.crt# trust anchor --remove "pkcs11:id=%AA%BB%CC%DD%EE;type=cert"

For more information, see the following man pages: