|
 |
4f058b |
////
|
|
|
4f058b |
Copyright (C) 2013 Red Hat, Inc.
|
|
|
4f058b |
|
|
|
4f058b |
This program is free software; you can redistribute it and/or modify
|
|
|
4f058b |
it under the terms of the GNU General Public License as published by
|
|
|
4f058b |
the Free Software Foundation; either version 2 of the License, or
|
|
|
4f058b |
(at your option) any later version.
|
|
|
4f058b |
|
|
|
4f058b |
This program is distributed in the hope that it will be useful,
|
|
|
4f058b |
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
4f058b |
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
4f058b |
GNU General Public License for more details.
|
|
|
4f058b |
////
|
|
|
4f058b |
|
|
|
4f058b |
|
|
|
4f058b |
update-ca-trust(8)
|
|
|
4f058b |
==================
|
|
|
4f058b |
:doctype: manpage
|
|
|
4f058b |
:man source: update-ca-trust
|
|
|
4f058b |
|
|
|
4f058b |
|
|
|
4f058b |
NAME
|
|
|
4f058b |
----
|
|
|
4f058b |
update-ca-trust - manage consolidated and dynamic configuration of CA
|
|
|
4f058b |
certificates and associated trust
|
|
|
4f058b |
|
|
|
4f058b |
|
|
|
4f058b |
SYNOPSIS
|
|
|
4f058b |
--------
|
|
|
4f058b |
*update-ca-trust* ['COMMAND']
|
|
|
4f058b |
|
|
|
4f058b |
|
|
|
4f058b |
DESCRIPTION
|
|
|
4f058b |
-----------
|
|
|
4f058b |
update-ca-trust(8) is used to manage a consolidated and dynamic configuration
|
|
|
4f058b |
feature of Certificate Authority (CA) certificates and associated trust.
|
|
|
4f058b |
|
|
|
4f058b |
The feature is available for new applications that read the
|
|
|
4f058b |
consolidated configuration files found in the /etc/pki/ca-trust/extracted directory
|
|
|
4f058b |
or that load the PKCS#11 module p11-kit-trust.so
|
|
|
4f058b |
|
|
|
4f058b |
Parts of the new feature are also provided in a way to make it useful
|
|
|
4f058b |
for legacy applications.
|
|
|
4f058b |
|
|
|
4f058b |
Many legacy applications expect CA certificates and trust configuration
|
|
|
4f058b |
in a fixed location, contained in files with particular path and name,
|
|
|
4f058b |
or by referring to a classic PKCS#11 trust module provided by the
|
|
|
4f058b |
NSS cryptographic library.
|
|
|
4f058b |
|
|
|
4f058b |
The dynamic configuration feature provides functionally compatible replacements
|
|
|
4f058b |
for classic configuration files and for the classic NSS trust module named libnssckbi.
|
|
|
4f058b |
|
|
|
4f058b |
In order to enable legacy applications, that read the classic files or
|
|
|
4f058b |
access the classic module, to make use of the new consolidated and dynamic configuration
|
|
|
4f058b |
feature, the classic filenames have been changed to symbolic links.
|
|
|
4f058b |
The symbolic links refer to dynamically created and consolidated
|
|
|
4f058b |
output stored below the /etc/pki/ca-trust/extracted directory hierarchy.
|
|
|
4f058b |
|
|
|
4f058b |
The output is produced using the 'update-ca-trust' command (without parameters),
|
|
|
4f058b |
or using the 'update-ca-trust extract' command.
|
|
|
4f058b |
In order to produce the output, a flexible set of source configuration
|
|
|
4f058b |
is read, as described in section <<sourceconf,SOURCE CONFIGURATION>>.
|
|
|
4f058b |
|
|
|
4f058b |
In addition, the classic PKCS#11 module
|
|
|
4f058b |
is replaced with a new PKCS#11 module (p11-kit-trust.so) that dynamically
|
|
|
4f058b |
reads the same source configuration.
|
|
|
4f058b |
|
|
|
4f058b |
|
|
|
4f058b |
[[sourceconf]]
|
|
|
4f058b |
SOURCE CONFIGURATION
|
|
|
4f058b |
--------------------
|
|
|
4f058b |
The dynamic configuration feature uses several source directories that
|
|
|
4f058b |
will be scanned for any number of source files. *It is important to select
|
|
|
4f058b |
the correct subdirectory for adding files, as the subdirectory defines how
|
|
|
4f058b |
contained certificates will be trusted or distrusted, and which file formats are read.*
|
|
|
4f058b |
|
|
|
4f058b |
Files in *subdirectories below the directory hierarchy /usr/share/pki/ca-trust-source/* contain CA certificates and
|
|
|
4f058b |
trust settings in the PEM file format. The trust settings found here will be
|
|
|
4f058b |
interpreted with a *low priority*.
|
|
|
4f058b |
|
|
|
4f058b |
Files in *subdirectories below the directory hierarchy /etc/pki/ca-trust/source/* contain CA certificates and
|
|
|
4f058b |
trust settings in the PEM file format. The trust settings found here will be
|
|
|
4f058b |
interpreted with a *high priority*.
|
|
|
4f058b |
|
|
|
4f058b |
.You may use the following rules of thumb to decide, whether your configuration files should be added to the /etc or rather to the /usr directory hierarchy:
|
|
|
4f058b |
* If you are manually adding a configuration file to a system, you probably
|
|
|
4f058b |
want it to override any other default configuration, and you most likely should
|
|
|
4f058b |
add it to the respective subdirectory in the /etc hierarchy.
|
|
|
4f058b |
* If you are creating a package that provides additional root CA certificates,
|
|
|
4f058b |
that is intended for distribution to several computer systems, but you still
|
|
|
4f058b |
want to allow the administrator to override your list, then your package should
|
|
|
4f058b |
add your files to the respective subdirectory in the /usr hierarchy.
|
|
|
4f058b |
* If you are creating a package that is supposed to override the default system
|
|
|
4f058b |
trust settings, that is intended for distribution to several computer systems, then your package should install the files to the respective
|
|
|
4f058b |
subdirectory in the /etc hierarchy.
|
|
|
4f058b |
|
|
|
4f058b |
.*QUICK HELP 1*: To add a certificate in the simple PEM or DER file formats to the list of CAs trusted on the system:
|
|
|
4f058b |
* add it as a new file to directory /etc/pki/ca-trust/source/anchors/
|
|
|
4f058b |
* run 'update-ca-trust extract'
|
|
|
4f058b |
|
|
|
4f058b |
.*QUICK HELP 2*: If your certificate is in the extended BEGIN TRUSTED file format (which may contain distrust/blacklist trust flags, or trust flags for usages other than TLS) then:
|
|
|
4f058b |
* add it as a new file to directory /etc/pki/ca-trust/source/
|
|
|
4f058b |
* run 'update-ca-trust extract'
|
|
|
4f058b |
|
|
|
4f058b |
.In order to offer simplicity and flexibility, the way certificate files are treated depends on the subdirectory they are installed to.
|
|
|
4f058b |
* simple trust anchors subdirectory: /usr/share/pki/ca-trust-source/anchors/ or /etc/pki/ca-trust/source/anchors/
|
|
|
4f058b |
* simple blacklist (distrust) subdirectory: /usr/share/pki/ca-trust-source/blacklist/ or /etc/pki/ca-trust/source/blacklist/
|
|
|
4f058b |
* extended format directory: /usr/share/pki/ca-trust-source/ or /etc/pki/ca-trust/source/
|
|
|
4f058b |
|
|
|
4f058b |
.In the main directories /usr/share/pki/ca-trust-source/ or /etc/pki/ca-trust/source/ you may install one or multiple files in the following file formats:
|
|
|
4f058b |
* certificate files that include trust flags,
|
|
|
4f058b |
in the BEGIN/END TRUSTED CERTIFICATE file format
|
|
|
4f058b |
(any file name), which have been created using the openssl x509 tool
|
|
|
4f058b |
and the -addreject -addtrust options.
|
|
|
4f058b |
Bundle files with multiple certificates are supported.
|
|
|
4f058b |
* files in the p11-kit file format using the .p11-kit file name
|
|
|
4f058b |
extension, which can (e.g.) be used to distrust certificates
|
|
|
4f058b |
based on serial number and issuer name, without having the
|
|
|
4f058b |
full certificate available.
|
|
|
4f058b |
(This is currently an undocumented format, to be extended later.
|
|
|
4f058b |
For examples of the supported formats, see the files
|
|
|
4f058b |
shipped with the ca-certificates package.)
|
|
|
4f058b |
* certificate files without trust flags in either the DER file format or in
|
|
|
4f058b |
the PEM (BEGIN/END CERTIFICATE) file format (any file name). Such files
|
|
|
4f058b |
will be added with neutral trust, neither trusted nor distrusted.
|
|
|
4f058b |
They will simply be known to the system, which might be helpful to
|
|
|
4f058b |
assist cryptographic software in constructing chains of certificates.
|
|
|
4f058b |
(If you want a CA certificate in these file formats to be trusted, you
|
|
|
4f058b |
should remove it from this directory and move it to the
|
|
|
4f058b |
./anchors subdirectory instead.)
|
|
|
4f058b |
|
|
|
4f058b |
In the anchors subdirectories /usr/share/pki/ca-trust-source/anchors/ or /etc/pki/ca-trust/source/anchors/
|
|
|
4f058b |
you may install one or multiple certificates in either the DER file
|
|
|
4f058b |
format or in the PEM (BEGIN/END CERTIFICATE) file format.
|
|
|
4f058b |
Each certificate will be treated as *trusted* for all purposes.
|
|
|
4f058b |
|
|
|
4f058b |
In the blacklist subdirectories /usr/share/pki/ca-trust-source/blacklist/ or /etc/pki/ca-trust/source/blacklist/
|
|
|
4f058b |
you may install one or multiple certificates in either the DER file
|
|
|
4f058b |
format or in the PEM (BEGIN/END CERTIFICATE) file format.
|
|
|
4f058b |
Each certificate will be treated as *distrusted* for all purposes.
|
|
|
4f058b |
|
|
|
4f058b |
Please refer to the x509(1) manual page for the documentation of the
|
|
|
4f058b |
BEGIN/END CERTIFICATE and BEGIN/END TRUSTED CERTIFICATE file formats.
|
|
|
4f058b |
|
|
|
4f058b |
Applications that rely on a static file for a list of trusted CAs
|
|
|
4f058b |
may load one of the files found in the /etc/pki/ca-trust/extracted
|
|
|
4f058b |
directory. After modifying any file in the
|
|
|
4f058b |
/usr/share/pki/ca-trust-source/ or /etc/pki/ca-trust/source/
|
|
|
4f058b |
directories or in any of their subdirectories, or after adding a file,
|
|
|
4f058b |
it is necessary to run the 'update-ca-trust extract' command,
|
|
|
4f058b |
in order to update the consolidated files in /etc/pki/ca-trust/extracted/ .
|
|
|
4f058b |
|
|
|
4f058b |
Applications that load the classic PKCS#11 module using filename libnssckbi.so
|
|
|
4f058b |
(which has been converted into a symbolic link pointing to the new module)
|
|
|
4f058b |
and any application capable of
|
|
|
4f058b |
loading PKCS#11 modules and loading p11-kit-trust.so, will benefit from
|
|
|
4f058b |
the dynamically merged set of certificates and trust information stored in the
|
|
|
4f058b |
/usr/share/pki/ca-trust-source/ and /etc/pki/ca-trust/source/ directories.
|
|
|
4f058b |
|
|
|
4f058b |
|
|
|
4f058b |
[[extractconf]]
|
|
|
4f058b |
EXTRACTED CONFIGURATION
|
|
|
4f058b |
-----------------------
|
|
|
4f058b |
The directory /etc/pki/ca-trust/extracted/ contains generated CA certificate
|
|
|
4f058b |
bundle files which are created and updated, based on the <<sourceconf,SOURCE CONFIGURATION>>
|
|
|
4f058b |
by running the 'update-ca-trust extract' command.
|
|
|
4f058b |
|
|
|
4f058b |
If your application isn't able to load the PKCS#11 module p11-kit-trust.so,
|
|
|
4f058b |
then you can use these files in your application to load a list of global
|
|
|
4f058b |
root CA certificates.
|
|
|
4f058b |
|
|
|
4f058b |
Please never manually edit the files stored in this directory,
|
|
|
4f058b |
because your changes will be lost and the files automatically overwritten,
|
|
|
4f058b |
each time the 'update-ca-trust extract' command gets executed.
|
|
|
4f058b |
|
|
|
4f058b |
In order to install new trusted or distrusted certificates,
|
|
|
4f058b |
please rather install them in the respective subdirectory below the
|
|
|
4f058b |
/usr/share/pki/ca-trust-source/ or /etc/pki/ca-trust/source/
|
|
|
4f058b |
directories, as described in the <<sourceconf,SOURCE CONFIGURATION>> section.
|
|
|
4f058b |
|
|
|
4f058b |
The directory /etc/pki/ca-trust/extracted/java/ contains
|
|
|
4f058b |
a CA certificate bundle in the java keystore file format.
|
|
|
4f058b |
Distrust information cannot be represented in this file format,
|
|
|
4f058b |
and distrusted certificates are missing from these files.
|
|
|
4f058b |
File cacerts contains CA certificates trusted for TLS server authentication.
|
|
|
4f058b |
|
|
|
4f058b |
The directory /etc/pki/ca-trust/extracted/openssl/ contains
|
|
|
4f058b |
CA certificate bundle files in the extended BEGIN/END TRUSTED CERTIFICATE file format,
|
|
|
4f058b |
as described in the x509(1) manual page.
|
|
|
4f058b |
File ca-bundle.trust.crt contains the full set of all trusted
|
|
|
4f058b |
or distrusted certificates, including the associated trust flags.
|
|
|
4f058b |
|
|
|
4f058b |
The directory /etc/pki/ca-trust/extracted/pem/ contains
|
|
|
4f058b |
CA certificate bundle files in the simple BEGIN/END CERTIFICATE file format,
|
|
|
4f058b |
as described in the x509(1) manual page.
|
|
|
4f058b |
Distrust information cannot be represented in this file format,
|
|
|
4f058b |
and distrusted certificates are missing from these files.
|
|
|
4f058b |
File tls-ca-bundle.pem contains CA certificates
|
|
|
4f058b |
trusted for TLS server authentication.
|
|
|
4f058b |
File email-ca-bundle.pem contains CA certificates
|
|
|
4f058b |
trusted for E-Mail protection.
|
|
|
4f058b |
File objsign-ca-bundle.pem contains CA certificates
|
|
|
4f058b |
trusted for code signing.
|
|
|
4f058b |
|
|
|
4f058b |
|
|
|
4f058b |
COMMANDS
|
|
|
4f058b |
--------
|
|
|
4f058b |
(absent/empty command)::
|
|
|
4f058b |
Same as the *extract* command described below. (However, the command may
|
|
|
4f058b |
print fewer warnings, as this command is being run during rpm package
|
|
|
4f058b |
installation, where non-fatal status output is undesired.)
|
|
|
4f058b |
|
|
|
4f058b |
*extract*::
|
|
|
4f058b |
Instruct update-ca-trust to scan the <<sourceconf,SOURCE CONFIGURATION>> and produce
|
|
|
4f058b |
updated versions of the consolidated configuration files stored below
|
|
|
4f058b |
the /etc/pki/ca-trust/extracted directory hierarchy.
|
|
|
4f058b |
|
|
|
4f058b |
FILES
|
|
|
4f058b |
-----
|
|
|
4f058b |
/etc/pki/tls/certs/ca-bundle.crt::
|
|
|
4f058b |
Classic filename, file contains a list of CA certificates trusted for TLS server authentication usage, in the simple BEGIN/END CERTIFICATE file format, without distrust information.
|
|
|
4f058b |
This file is a symbolic link that refers to the consolidated output created by the update-ca-trust command.
|
|
|
4f058b |
|
|
|
4f058b |
/etc/pki/tls/certs/ca-bundle.trust.crt::
|
|
|
4f058b |
Classic filename, file contains a list of CA certificates in the extended BEGIN/END TRUSTED CERTIFICATE file format, which includes trust (and/or distrust) flags specific to certificate usage.
|
|
|
4f058b |
This file is a symbolic link that refers to the consolidated output created by the update-ca-trust command.
|
|
|
4f058b |
|
|
|
4f058b |
/etc/pki/java/cacerts::
|
|
|
4f058b |
Classic filename, file contains a list of CA certificates trusted for TLS server authentication usage, in the Java keystore file format, without distrust information.
|
|
|
4f058b |
This file is a symbolic link that refers to the consolidated output created by the update-ca-trust command.
|
|
|
4f058b |
|
|
|
4f058b |
/usr/share/pki/ca-trust-source::
|
|
|
4f058b |
Contains multiple, low priority source configuration files as explained in section <<sourceconf,SOURCE CONFIGURATION>>. Please pay attention to the specific meanings of the respective subdirectories.
|
|
|
4f058b |
|
|
|
4f058b |
/etc/pki/ca-trust/source::
|
|
|
4f058b |
Contains multiple, high priority source configuration files as explained in section <<sourceconf,SOURCE CONFIGURATION>>. Please pay attention to the specific meanings of the respective subdirectories.
|
|
|
4f058b |
|
|
|
4f058b |
/etc/pki/ca-trust/extracted::
|
|
|
4f058b |
Contains consolidated and automatically generated configuration files for consumption by applications,
|
|
|
4f058b |
which are created using the 'update-ca-trust extract' command. Don't edit files in this directory, because they will be overwritten.
|
|
|
4f058b |
See section <<extractconf,EXTRACTED CONFIGURATION>> for additional details.
|
|
|
4f058b |
|
|
|
4f058b |
AUTHOR
|
|
|
4f058b |
------
|
|
|
4f058b |
Written by Kai Engert and Stef Walter.
|