|
 |
206e80 |
////
|
|
|
206e80 |
Copyright (C) 2013 Red Hat, Inc.
|
|
|
206e80 |
|
|
|
206e80 |
This program is free software; you can redistribute it and/or modify
|
|
|
206e80 |
it under the terms of the GNU General Public License as published by
|
|
|
206e80 |
the Free Software Foundation; either version 2 of the License, or
|
|
|
206e80 |
(at your option) any later version.
|
|
|
206e80 |
|
|
|
206e80 |
This program is distributed in the hope that it will be useful,
|
|
|
206e80 |
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
206e80 |
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
206e80 |
GNU General Public License for more details.
|
|
|
206e80 |
////
|
|
|
206e80 |
|
|
|
206e80 |
|
|
|
206e80 |
update-ca-trust(8)
|
|
|
206e80 |
==================
|
|
|
206e80 |
:doctype: manpage
|
|
|
206e80 |
:man source: update-ca-trust
|
|
|
206e80 |
|
|
|
206e80 |
|
|
|
206e80 |
NAME
|
|
|
206e80 |
----
|
|
|
206e80 |
update-ca-trust - manage consolidated and dynamic configuration of CA
|
|
|
206e80 |
certificates and associated trust
|
|
|
206e80 |
|
|
|
206e80 |
|
|
|
206e80 |
SYNOPSIS
|
|
|
206e80 |
--------
|
|
|
206e80 |
*update-ca-trust* ['COMMAND']
|
|
|
206e80 |
|
|
|
206e80 |
|
|
|
206e80 |
DESCRIPTION
|
|
|
206e80 |
-----------
|
|
|
206e80 |
update-ca-trust(8) is used to manage a consolidated and dynamic configuration
|
|
|
206e80 |
feature of Certificate Authority (CA) certificates and associated trust.
|
|
|
206e80 |
|
|
|
206e80 |
The feature is available for new applications that read the
|
|
|
206e80 |
consolidated configuration files found in the /etc/pki/ca-trust/extracted directory
|
|
|
206e80 |
or that load the PKCS#11 module p11-kit-trust.so
|
|
|
206e80 |
|
|
|
206e80 |
Parts of the new feature are also provided in a way to make it useful
|
|
|
206e80 |
for legacy applications.
|
|
|
206e80 |
|
|
|
206e80 |
Many legacy applications expect CA certificates and trust configuration
|
|
|
206e80 |
in a fixed location, contained in files with particular path and name,
|
|
|
206e80 |
or by referring to a classic PKCS#11 trust module provided by the
|
|
|
206e80 |
NSS cryptographic library.
|
|
|
206e80 |
|
|
|
206e80 |
The dynamic configuration feature provides functionally compatible replacements
|
|
|
206e80 |
for classic configuration files and for the classic NSS trust module named libnssckbi.
|
|
|
206e80 |
|
|
|
206e80 |
In order to enable legacy applications, that read the classic files or
|
|
|
206e80 |
access the classic module, to make use of the new consolidated and dynamic configuration
|
|
|
206e80 |
feature, the classic filenames have been changed to symbolic links.
|
|
|
206e80 |
The symbolic links refer to dynamically created and consolidated
|
|
|
206e80 |
output stored below the /etc/pki/ca-trust/extracted directory hierarchy.
|
|
|
206e80 |
|
|
|
206e80 |
The output is produced using the 'update-ca-trust' command (without parameters),
|
|
|
206e80 |
or using the 'update-ca-trust extract' command.
|
|
|
206e80 |
In order to produce the output, a flexible set of source configuration
|
|
|
206e80 |
is read, as described in section <<sourceconf,SOURCE CONFIGURATION>>.
|
|
|
206e80 |
|
|
|
206e80 |
In addition, the classic PKCS#11 module
|
|
|
206e80 |
is replaced with a new PKCS#11 module (p11-kit-trust.so) that dynamically
|
|
|
206e80 |
reads the same source configuration.
|
|
|
206e80 |
|
|
|
206e80 |
|
|
|
206e80 |
[[sourceconf]]
|
|
|
206e80 |
SOURCE CONFIGURATION
|
|
|
206e80 |
--------------------
|
|
|
206e80 |
The dynamic configuration feature uses several source directories that
|
|
|
206e80 |
will be scanned for any number of source files. *It is important to select
|
|
|
206e80 |
the correct subdirectory for adding files, as the subdirectory defines how
|
|
|
206e80 |
contained certificates will be trusted or distrusted, and which file formats are read.*
|
|
|
206e80 |
|
|
|
206e80 |
Files in *subdirectories below the directory hierarchy /usr/share/pki/ca-trust-source/* contain CA certificates and
|
|
|
206e80 |
trust settings in the PEM file format. The trust settings found here will be
|
|
|
206e80 |
interpreted with a *low priority*.
|
|
|
206e80 |
|
|
|
206e80 |
Files in *subdirectories below the directory hierarchy /etc/pki/ca-trust/source/* contain CA certificates and
|
|
|
206e80 |
trust settings in the PEM file format. The trust settings found here will be
|
|
|
206e80 |
interpreted with a *high priority*.
|
|
|
206e80 |
|
|
|
206e80 |
.You may use the following rules of thumb to decide, whether your configuration files should be added to the /etc or rather to the /usr directory hierarchy:
|
|
|
206e80 |
* If you are manually adding a configuration file to a system, you probably
|
|
|
206e80 |
want it to override any other default configuration, and you most likely should
|
|
|
206e80 |
add it to the respective subdirectory in the /etc hierarchy.
|
|
|
206e80 |
* If you are creating a package that provides additional root CA certificates,
|
|
|
206e80 |
that is intended for distribution to several computer systems, but you still
|
|
|
206e80 |
want to allow the administrator to override your list, then your package should
|
|
|
206e80 |
add your files to the respective subdirectory in the /usr hierarchy.
|
|
|
206e80 |
* If you are creating a package that is supposed to override the default system
|
|
|
206e80 |
trust settings, that is intended for distribution to several computer systems, then your package should install the files to the respective
|
|
|
206e80 |
subdirectory in the /etc hierarchy.
|
|
|
206e80 |
|
|
|
206e80 |
.*QUICK HELP 1*: To add a certificate in the simple PEM or DER file formats to the list of CAs trusted on the system:
|
|
|
206e80 |
* add it as a new file to directory /etc/pki/ca-trust/source/anchors/
|
|
|
206e80 |
* run 'update-ca-trust extract'
|
|
|
206e80 |
|
|
|
206e80 |
.*QUICK HELP 2*: If your certificate is in the extended BEGIN TRUSTED file format (which may contain distrust/blacklist trust flags, or trust flags for usages other than TLS) then:
|
|
|
206e80 |
* add it as a new file to directory /etc/pki/ca-trust/source/
|
|
|
206e80 |
* run 'update-ca-trust extract'
|
|
|
206e80 |
|
|
|
206e80 |
.In order to offer simplicity and flexibility, the way certificate files are treated depends on the subdirectory they are installed to.
|
|
|
206e80 |
* simple trust anchors subdirectory: /usr/share/pki/ca-trust-source/anchors/ or /etc/pki/ca-trust/source/anchors/
|
|
|
206e80 |
* simple blacklist (distrust) subdirectory: /usr/share/pki/ca-trust-source/blacklist/ or /etc/pki/ca-trust/source/blacklist/
|
|
|
206e80 |
* extended format directory: /usr/share/pki/ca-trust-source/ or /etc/pki/ca-trust/source/
|
|
|
206e80 |
|
|
|
206e80 |
.In the main directories /usr/share/pki/ca-trust-source/ or /etc/pki/ca-trust/source/ you may install one or multiple files in the following file formats:
|
|
|
206e80 |
* certificate files that include trust flags,
|
|
|
206e80 |
in the BEGIN/END TRUSTED CERTIFICATE file format
|
|
|
206e80 |
(any file name), which have been created using the openssl x509 tool
|
|
|
206e80 |
and the -addreject -addtrust options.
|
|
|
206e80 |
Bundle files with multiple certificates are supported.
|
|
|
206e80 |
* files in the p11-kit file format using the .p11-kit file name
|
|
|
206e80 |
extension, which can (e.g.) be used to distrust certificates
|
|
|
206e80 |
based on serial number and issuer name, without having the
|
|
|
206e80 |
full certificate available.
|
|
|
206e80 |
(This is currently an undocumented format, to be extended later.
|
|
|
206e80 |
For examples of the supported formats, see the files
|
|
|
206e80 |
shipped with the ca-certificates package.)
|
|
|
206e80 |
* certificate files without trust flags in either the DER file format or in
|
|
|
206e80 |
the PEM (BEGIN/END CERTIFICATE) file format (any file name). Such files
|
|
|
206e80 |
will be added with neutral trust, neither trusted nor distrusted.
|
|
|
206e80 |
They will simply be known to the system, which might be helpful to
|
|
|
206e80 |
assist cryptographic software in constructing chains of certificates.
|
|
|
206e80 |
(If you want a CA certificate in these file formats to be trusted, you
|
|
|
206e80 |
should remove it from this directory and move it to the
|
|
|
206e80 |
./anchors subdirectory instead.)
|
|
|
206e80 |
|
|
|
206e80 |
In the anchors subdirectories /usr/share/pki/ca-trust-source/anchors/ or /etc/pki/ca-trust/source/anchors/
|
|
|
206e80 |
you may install one or multiple certificates in either the DER file
|
|
|
206e80 |
format or in the PEM (BEGIN/END CERTIFICATE) file format.
|
|
|
206e80 |
Each certificate will be treated as *trusted* for all purposes.
|
|
|
206e80 |
|
|
|
206e80 |
In the blacklist subdirectories /usr/share/pki/ca-trust-source/blacklist/ or /etc/pki/ca-trust/source/blacklist/
|
|
|
206e80 |
you may install one or multiple certificates in either the DER file
|
|
|
206e80 |
format or in the PEM (BEGIN/END CERTIFICATE) file format.
|
|
|
206e80 |
Each certificate will be treated as *distrusted* for all purposes.
|
|
|
206e80 |
|
|
|
206e80 |
Please refer to the x509(1) manual page for the documentation of the
|
|
|
206e80 |
BEGIN/END CERTIFICATE and BEGIN/END TRUSTED CERTIFICATE file formats.
|
|
|
206e80 |
|
|
|
206e80 |
Applications that rely on a static file for a list of trusted CAs
|
|
|
206e80 |
may load one of the files found in the /etc/pki/ca-trust/extracted
|
|
|
206e80 |
directory. After modifying any file in the
|
|
|
206e80 |
/usr/share/pki/ca-trust-source/ or /etc/pki/ca-trust/source/
|
|
|
206e80 |
directories or in any of their subdirectories, or after adding a file,
|
|
|
206e80 |
it is necessary to run the 'update-ca-trust extract' command,
|
|
|
206e80 |
in order to update the consolidated files in /etc/pki/ca-trust/extracted/ .
|
|
|
206e80 |
|
|
|
206e80 |
Applications that load the classic PKCS#11 module using filename libnssckbi.so
|
|
|
206e80 |
(which has been converted into a symbolic link pointing to the new module)
|
|
|
206e80 |
and any application capable of
|
|
|
206e80 |
loading PKCS#11 modules and loading p11-kit-trust.so, will benefit from
|
|
|
206e80 |
the dynamically merged set of certificates and trust information stored in the
|
|
|
206e80 |
/usr/share/pki/ca-trust-source/ and /etc/pki/ca-trust/source/ directories.
|
|
|
206e80 |
|
|
|
206e80 |
|
|
|
206e80 |
[[extractconf]]
|
|
|
206e80 |
EXTRACTED CONFIGURATION
|
|
|
206e80 |
-----------------------
|
|
|
206e80 |
The directory /etc/pki/ca-trust/extracted/ contains generated CA certificate
|
|
|
206e80 |
bundle files which are created and updated, based on the <<sourceconf,SOURCE CONFIGURATION>>
|
|
|
206e80 |
by running the 'update-ca-trust extract' command.
|
|
|
206e80 |
|
|
|
206e80 |
If your application isn't able to load the PKCS#11 module p11-kit-trust.so,
|
|
|
206e80 |
then you can use these files in your application to load a list of global
|
|
|
206e80 |
root CA certificates.
|
|
|
206e80 |
|
|
|
206e80 |
Please never manually edit the files stored in this directory,
|
|
|
206e80 |
because your changes will be lost and the files automatically overwritten,
|
|
|
206e80 |
each time the 'update-ca-trust extract' command gets executed.
|
|
|
206e80 |
|
|
|
206e80 |
In order to install new trusted or distrusted certificates,
|
|
|
206e80 |
please rather install them in the respective subdirectory below the
|
|
|
206e80 |
/usr/share/pki/ca-trust-source/ or /etc/pki/ca-trust/source/
|
|
|
206e80 |
directories, as described in the <<sourceconf,SOURCE CONFIGURATION>> section.
|
|
|
206e80 |
|
|
|
206e80 |
The directory /etc/pki/ca-trust/extracted/java/ contains
|
|
|
206e80 |
a CA certificate bundle in the java keystore file format.
|
|
|
206e80 |
Distrust information cannot be represented in this file format,
|
|
|
206e80 |
and distrusted certificates are missing from these files.
|
|
|
206e80 |
File cacerts contains CA certificates trusted for TLS server authentication.
|
|
|
206e80 |
|
|
|
206e80 |
The directory /etc/pki/ca-trust/extracted/openssl/ contains
|
|
|
206e80 |
CA certificate bundle files in the extended BEGIN/END TRUSTED CERTIFICATE file format,
|
|
|
206e80 |
as described in the x509(1) manual page.
|
|
|
206e80 |
File ca-bundle.trust.crt contains the full set of all trusted
|
|
|
206e80 |
or distrusted certificates, including the associated trust flags.
|
|
|
206e80 |
|
|
|
206e80 |
The directory /etc/pki/ca-trust/extracted/pem/ contains
|
|
|
206e80 |
CA certificate bundle files in the simple BEGIN/END CERTIFICATE file format,
|
|
|
206e80 |
as described in the x509(1) manual page.
|
|
|
206e80 |
Distrust information cannot be represented in this file format,
|
|
|
206e80 |
and distrusted certificates are missing from these files.
|
|
|
206e80 |
File tls-ca-bundle.pem contains CA certificates
|
|
|
206e80 |
trusted for TLS server authentication.
|
|
|
206e80 |
File email-ca-bundle.pem contains CA certificates
|
|
|
206e80 |
trusted for E-Mail protection.
|
|
|
206e80 |
File objsign-ca-bundle.pem contains CA certificates
|
|
|
206e80 |
trusted for code signing.
|
|
|
206e80 |
|
|
|
206e80 |
|
|
|
206e80 |
COMMANDS
|
|
|
206e80 |
--------
|
|
|
206e80 |
(absent/empty command)::
|
|
|
206e80 |
Same as the *extract* command described below. (However, the command may
|
|
|
206e80 |
print fewer warnings, as this command is being run during rpm package
|
|
|
206e80 |
installation, where non-fatal status output is undesired.)
|
|
|
206e80 |
|
|
|
206e80 |
*extract*::
|
|
|
206e80 |
Instruct update-ca-trust to scan the <<sourceconf,SOURCE CONFIGURATION>> and produce
|
|
|
206e80 |
updated versions of the consolidated configuration files stored below
|
|
|
206e80 |
the /etc/pki/ca-trust/extracted directory hierarchy.
|
|
|
206e80 |
|
|
|
206e80 |
FILES
|
|
|
206e80 |
-----
|
|
|
206e80 |
/etc/pki/tls/certs/ca-bundle.crt::
|
|
|
206e80 |
Classic filename, file contains a list of CA certificates trusted for TLS server authentication usage, in the simple BEGIN/END CERTIFICATE file format, without distrust information.
|
|
|
206e80 |
This file is a symbolic link that refers to the consolidated output created by the update-ca-trust command.
|
|
|
206e80 |
|
|
|
206e80 |
/etc/pki/tls/certs/ca-bundle.trust.crt::
|
|
|
206e80 |
Classic filename, file contains a list of CA certificates in the extended BEGIN/END TRUSTED CERTIFICATE file format, which includes trust (and/or distrust) flags specific to certificate usage.
|
|
|
206e80 |
This file is a symbolic link that refers to the consolidated output created by the update-ca-trust command.
|
|
|
206e80 |
|
|
|
206e80 |
/etc/pki/java/cacerts::
|
|
|
206e80 |
Classic filename, file contains a list of CA certificates trusted for TLS server authentication usage, in the Java keystore file format, without distrust information.
|
|
|
206e80 |
This file is a symbolic link that refers to the consolidated output created by the update-ca-trust command.
|
|
|
206e80 |
|
|
|
206e80 |
/usr/share/pki/ca-trust-source::
|
|
|
206e80 |
Contains multiple, low priority source configuration files as explained in section <<sourceconf,SOURCE CONFIGURATION>>. Please pay attention to the specific meanings of the respective subdirectories.
|
|
|
206e80 |
|
|
|
206e80 |
/etc/pki/ca-trust/source::
|
|
|
206e80 |
Contains multiple, high priority source configuration files as explained in section <<sourceconf,SOURCE CONFIGURATION>>. Please pay attention to the specific meanings of the respective subdirectories.
|
|
|
206e80 |
|
|
|
206e80 |
/etc/pki/ca-trust/extracted::
|
|
|
206e80 |
Contains consolidated and automatically generated configuration files for consumption by applications,
|
|
|
206e80 |
which are created using the 'update-ca-trust extract' command. Don't edit files in this directory, because they will be overwritten.
|
|
|
206e80 |
See section <<extractconf,EXTRACTED CONFIGURATION>> for additional details.
|
|
|
206e80 |
|
|
|
206e80 |
AUTHOR
|
|
|
206e80 |
------
|
|
|
206e80 |
Written by Kai Engert and Stef Walter.
|