2 Ways to Install and Check Root CA Certificate on Linux

We have two methods to use update-ca-trust or trust anchor to add a CA certificate on Linux.

We need to install the ca-certificates package first with the command yum install ca-certificates.

Table of Contents

Understanding Root CA certificate

SSL certificates operate on a structure called the certificate chain — a network of certificates starting back at the issuing company of the certificate, also known as a certificate authority (CA).

These certificates consist of root certificates, intermediate certificates, and leaf (server) certificates.

As for Root CA certificates, these are certificates that are self-signed by their respective CA (as they have the authority to do so). Every valid SSL certificate is under a Root CA certificate, as these are trusted parties.

Do we need to install CA certificate?

Typically, we don’t need to install a Root CA certificate, as they are included in web browsers’ trust stores and are even pre-installed on some operating systems.

This allows our computer to be able to tell whether or not a certificate is invalid, because if its root certificate isn’t on their trusted root CA list, then it’ll warn us that the certificate is not a trusted one.

Using update-ca-trust to install a CA certificate in Linux

Copy the CA certificate to the directory /etc/pki/ca-trust/source/anchors/:
# cp rapidSSL-ca.crt /etc/pki/ca-trust/source/anchors/
This command copies the Certificate Authority (CA) certificate (rapidSSL-ca.crt in this case) to the /etc/pki/ca-trust/source/anchors/ directory.This directory is where Red Hat and CentOS Linux distributions look for additional trusted CA certificates that are not in the system’s primary CA bundle.
Extract a CA certificate to the list of trusted CA’s:
# update-ca-trust
It enables the system to recognize and accept certificates issued by the newly added CA. In simple terms, it updates your system’s list of trusted CAs with the new certificate you’ve added in the previous step.
Verify the SSL certificate:
# openssl verify server.crt server.crt : OK
The openssl verify command is used to check the SSL certificate against the CA certificates to verify its authenticity.If the SSL certificate can be validated (i.e., it was issued by a trusted CA), the command will output OK. In this case, server.crt is the SSL certificate you’re verifying. If there’s a problem with the certificate, the command will output an error message.

Using trust anchor to add a CA certificate

To run the trust anchor -store command and specify a CA certificate:
trust anchor --store ca.crtThis command uses the trust utility in Linux to add a new Certificate Authority (CA) certificate to the system’s list of trusted CAs. In this case, ca.crt is the new CA certificate you’re adding. The –store option tells the trust utility to store the new CA certificate. In simple terms, this command makes your system trust certificates issued by the CA in ca.crt.
To check the list of trusted CA’s:
```
trust list
pkcs11:id=%53%ca%17%59%fc%6b%c0%03%21%2f%1a
type: certificate
label: RapidSSL RSA CA 2018
trust: anchor
category: authority
..snip..
```
This command lists all the CA certificates that your system currently trusts. The output of this command includes various details about each trusted CA certificate.
To verify the server certificate using OpenSSL:
openssl verify server.crt server.crt : OK

Here is an example of trust list command.

pkcs11:id=%53%ca%17%59%fc%6b%c0%03%21%2f%1a: This line represents the unique identifier for the CA certificate. The pkcs11:id= prefix indicates that this identifier conforms to the PKCS #11 standard, which is a cryptographic standard used by many systems and applications.
type: certificate This line indicates the type of the object. In this case, it’s a certificate.
label: RapidSSL RSA CA 2018 This line is the human-readable label for the CA certificate. In this case, it’s “RapidSSL RSA CA 2018”.
trust: anchor This line indicates the trust level of the CA certificate. “Anchor” means that this certificate is a trusted root certificate. It’s called an “anchor” because it serves as the starting point for trust in a chain of certificates.
category: authority This line indicates the category of the certificate. “Authority” means that this is a CA certificate, which can be used to issue other certificates.

If we want to remove the CA certificate, run trust anchor –remove as follows:

# trust anchor --remove pkcs11:id=%53%ca%17%59

# trust anchor --remove /etc/pki/ca-trust/source/RapidSSL_RSA_CA_2018.p11-kit

List all CA certificates in Linux

Once the ca certificate is added, the certificate is made available through the /etc/pki/ca-trust/extracted tree:

$ ls /etc/pki/ca-trust/extracted edk2 java openssl pem README

Applications that look to this directory to verify certificates can use any of the formats provided. The update command handles the copies, conversions, and consolidation for the different formats.

.
├── edk2 │ ├── cacerts.bin │ └── README ├── java │ ├── cacerts │ └── README ├── openssl │ ├── ca-bundle.trust.crt │ └── README ├── pem │ ├── email-ca-bundle.pem │ ├── objsign-ca-bundle.pem │ ├── README │ └── tls-ca-bundle.pem └── README

The man page for update-ca-trust has more information about the directory structure, formats, and ways that certificates are accessed.

We have a quick way to list all of the certificate subjects in the bundle is with the following awk and openssl commands:

$ awk -v cmd='openssl x509 -noout -subject' '/BEGIN/{close(cmd)};{print | cmd}' < /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem