2 Ways to Install and Check Root CA Certificate on Linux

Table of Contents

We have two methods to use update-ca-trust or trust anchor to add a CA certificate on Linux.

We need to install the ca-certificates package first with the command yum install ca-certificates.

Understanding Root CA certificate

SSL certificates operate on a structure called the certificate chain — a network of certificates starting back at the issuing company of the certificate, also known as a certificate authority (CA). These certificates consist of root certificates, intermediate certificates, and leaf (server) certificates.

As for Root CA certificates, these are certificates that are self-signed by their respective CA (as they have the authority to do so). Every valid SSL certificate is under a Root CA certificate, as these are trusted parties.

Check SSL Certificate Chain with OpenSSL Examples


Do we need install CA certificate?

Typically, we don’t need to install a Root CA certificate, as they are included in web browsers’ trust stores and are even pre-installed on some operating systems.

This allows our computer to be able to tell whether or not a certificate is invalid, because if its root certificate isn’t on their trusted root CA list, then it’ll warn us that the certificate is not a trusted one.

Using update-ca-trust to install a CA certificate

  • Copy the CA certificate to the directory /etc/pki/ca-trust/source/anchors/:# cp rapidSSL-ca.crt /etc/pki/ca-trust/source/anchors/
  • Extract a CA certificate to the list of trusted CA’s:# update-ca-trust
  • Verify the SSL certificate:# openssl verify server.crt server.crt : OK


Using trust anchor to add a CA certificate

Run trust anchor –store by specifying CA certificate:# trust anchor –store ca.crt

Check the list of trusted CA’s
# trust list
type: certificate
label: RapidSSL RSA CA 2018
trust: anchor
category: authority

verify the server certificate:# openssl verify server.crt
server.crt : OK

If we want to remove the CA certificate, run trust anchor –remove as follows:

# trust anchor –remove pkcs11:id=%53%ca%17%59
# trust anchor –remove /etc/pki/ca-trust/source/RapidSSL_RSA_CA_2018.p11-kit

List all CA certificates in Linux

Once the ca certificate is added, the certificate is made available through the /etc/pki/ca-trust/extracted tree:

$ ls /etc/pki/ca-trust/extracted
edk2 java openssl pem README

Applications that look to this directory to verify certificates can use any of the formats provided. The update command handles the copies, conversions, and consolidation for the different formats.

The man page for update-ca-trust has more information about the directory structure, formats, and ways that certificates are accessed.

We have a quick way to list all of the certificate subjects in the bundle is with the following awk and openssl commands:

$ awk -v cmd=’openssl x509 -noout -subject’ ‘/BEGIN/{close(cmd)};{print | cmd}’ < /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem

Check SSL Certificate with OpenSSL



Welcome to!

Our website is dedicated to providing comprehensive information on using Linux.

We hope you find our site helpful and informative, and we welcome your feedback and suggestions for future content.

Learn More