Using Shared System Certificates

The Shared System Certificates storage enables NSS, GnuTLS, OpenSSL, and Java to share a default source for retrieving system certificate anchors and black list information. By default, the trust store contains the Mozilla CA list, including positive and negative trust. The system allows updating of the core Mozilla CA list or choosing another certificate list.

Using the System-wide Trust Store

In Fedora, the consolidated system-wide trust store is located in the /etc/pki/ca-trust/ and /usr/share/pki/ca-trust-source/ directories. The trust settings in /usr/share/pki/ca-trust-source/ are processed with lower priority than settings in /etc/pki/ca-trust/.

Certificate files are treated depending on the subdirectory they are installed to the following directories:

  • for trust anchors

    • /usr/share/pki/ca-trust-source/anchors/ or

    • /etc/pki/ca-trust/source/anchors/

  • for distrusted certificates

    • /usr/share/pki/ca-trust-source/blacklist/ or

    • /etc/pki/ca-trust/source/blacklist/

  • for certificates in the extended BEGIN TRUSTED file format

    • /usr/share/pki/ca-trust-source/ or

    • /etc/pki/ca-trust/source/

In a hierarchical cryptographic system, a trust anchor is an authoritative entity which is assumed to be trustworthy. For example, in X.509 architecture, a root certificate is a trust anchor from which a chain of trust is derived. The trust anchor must be put in the possession of the trusting party beforehand to make path validation possible.

Adding New Certificates

To add a certificate in the simple PEM or DER file formats to the list of CAs trusted on the system, copy the certificate file to the /usr/share/pki/ca-trust-source/anchors/ or /etc/pki/ca-trust/source/anchors/ directory, for example:

  1. # cp ~/certificate-trust-examples/Cert-trust-test-ca.pem /usr/share/pki/ca-trust-source/anchors/

To update the system-wide trust store configuration, use the update-ca-trust command:

  1. # update-ca-trust

While the Firefox browser is able to use an added certificate without executing update-ca-trust, it is recommended to run update-ca-trust after a CA change. Also note that browsers, such as Firefox, Epiphany, or Chromium, cache files, and you might need to clear the browser’s cache or restart your browser to load the current system certificates configuration.

Managing Trusted System Certificates

To list, extract, add, remove, or change trust anchors, use the trust command. To see the built-in help for this command, enter it without any arguments or with the --help directive:

  1. $ trust
  2. usage: trust command <args>...
  3.  
  4. Common trust commands are:
  5.   list             List trust or certificates
  6.   extract          Extract certificates and trust
  7.   extract-compat   Extract trust compatibility bundles
  8.   anchor           Add, remove, change trust anchors
  9.   dump             Dump trust objects in internal format
  10.  
  11. See 'trust <command> --help' for more information

To list all system trust anchors and certificates, use the trust list command:

  1. $ trust list
  2. pkcs11:id=%d2%87%b4%e3%df%37%27%93%55%f6%56%ea%81%e5%36%cc%8c%1e%3f%bd;type=cert
  3.     type: certificate
  4.     label: ACCVRAIZ1
  5.     trust: anchor
  6.     category: authority
  7.  
  8. pkcs11:id=%a6%b3%e1%2b%2b%49%b6%d7%73%a1%aa%94%f5%01%e7%73%65%4c%ac%50;type=cert
  9.     type: certificate
  10.     label: ACEDICOM Root
  11.     trust: anchor
  12.     category: authority
  13. ...
  14. [output has been truncated]

To store a trust anchor into the system-wide trust store, use the trust anchor sub-command and specify a path.to a certificate, for example:

  1. # trust anchor path.to/certificate.crt

To remove a certificate, use either a path.to a certificate or an ID of a certificate:

  1. # trust anchor --remove path.to/certificate.crt
  2. # trust anchor --remove "pkcs11:id=%AA%BB%CC%DD%EE;type=cert"

More information

All sub-commands of the trust commands offer a detailed built-in help, for example:

  1. $ trust list --help
  2. usage: trust list --filter=<what>
  4.   --filter=<what>     filter of what to export
  5.                         ca-anchors        certificate anchors
  6.                         blacklist         blacklisted certificates
  7.                         trust-policy      anchors and blacklist (default)
  8.                         certificates      all certificates
  9.                         pkcs11:object=xx  a PKCS#11 URI
  10.   --purpose=<usage>   limit to certificates usable for the purpose
  11.                         server-auth       for authenticating servers
  12.                         client-auth       for authenticating clients
  13.                         email             for email protection
  14.                         code-signing      for authenticating signed code
  15.                         1.2.3.4.5...      an arbitrary object id
  16.   -v, --verbose       show verbose debug output
  17.   -q, --quiet         suppress command output

Additional Resources

For more information, see the following man pages:

  • update-ca-trust(8)

  • trust(1)