Install and List Root CA Certificate on Linux

Updated: Aug 28

We have two methods to use update-ca-trust or trust anchor to add a CA certificate on Linux.


We need to install the ca-certificates package first with the command yum install ca-certificates.



Using update-ca-trust to install a CA certificate

  • Copy the CA certificate to the directory /etc/pki/ca-trust/source/anchors/:

# cp rapidSSL-ca.crt /etc/pki/ca-trust/source/anchors/

  • Extract a CA certificate to the list of trusted CA's:

# update-ca-trust

  • Verify the SSL certificate:

# openssl verify  server.crt 
server.crt : OK


Using trust anchor to add a CA certificate

  • Run trust anchor --store by specifying CA certificate:

# trust anchor --store ca.crt

  • Check the list of trusted CA's

# trust list
pkcs11:id=%53%ca%17%59%fc%6b%c0%03%21%2f%1a%ae%e4%aa%a8%1c%82%56%da%75;type=cert
type: certificate
label: RapidSSL RSA CA 2018
trust: anchor
category: authority
..snip..

  • verify the server certificate:

# openssl verify  server.crt 
server.crt : OK



If we want to remove the CA certificate, run trust anchor --remove as follows:


# trust anchor --remove pkcs11:id=%53%ca%17%59%fc%6b%c0%03%21%2f%1a%ae%e4%aa%a8%1c%82%56%da%75
  or
# trust anchor --remove /etc/pki/ca-trust/source/RapidSSL_RSA_CA_2018.p11-kit


List all CA certificates in Linux

Once the ca certificate is added, the certificate is made available through the /etc/pki/ca-trust/extracted tree:



$ ls /etc/pki/ca-trust/extracted 
edk2 java openssl pem README

Applications that look to this directory to verify certificates can use any of the formats provided. The update command handles the copies, conversions, and consolidation for the different formats.


The man page for update-ca-trust has more information about the directory structure, formats, and ways that certificates are accessed


We have a quick way to list all of the certificate subjects in the bundle is with the following awk and openssl commands:


$ awk -v cmd='openssl x509 -noout -subject' '/BEGIN/{close(cmd)};{print | cmd}' < /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem

Related:





95 views
屏幕快照 2021-08-08 下午5.16.32.png