1. Managing Certificates and Public Key Infrastructure
  2. Managing System Certificates

4 Managing System Certificates

Oracle Linux stores certificates that are trusted at a system-wide level within the /etc/pki/ca-trust/ and /usr/share/pki/ca-trust-source/ directories. Typically, the CA certificates of major third-party CAs are included within the system-wide trust store to enable applications to work correctly. By storing trusted certificates in a central location, a wide range of applications can use these trusted certificates to validate and authenticate certificate chains. For example, when an application needs to validate a certificate, it uses the certificates within the system-wide trust to confirm whether the certificate either matches a trusted certificate, or is signed by one.

A certificate, such as a CA certificate, that's stored on a system as a trusted certificate is often referred to as a trust anchor. This distinguishes the certificate from one for which trust is derived, typically by walking through a certificate chain until a trust anchor is found. You can add any public certificate to the system trust as a trust anchor so that it can be validated immediately.

Commonly trusted third-party CA certificates are selected by the Mozilla Foundation and are included in the ca-certificates package. These certificates are installed into the system trust store as anchors for general use.

Using the trust Command To Manage System Certificates

The trust command can simplify system certificate management. This command is available in the p11-kit-trust package and is installed by default on most Oracle Linux systems.

See the trust(1) manual page for more information.

Listing Certificates in the System Trust

To list certificates that are currently trusted, run:

trust list

Output similar to the following is displayed:

pkcs11:id=%37%7F%3E%3E%99%71%60%CA%24%D4%91%13%79%D0%74%29%B4%A8%24%D8;type=cert
    type: certificate
    label: A-CERT ADVANCED
    trust: anchor
    category: authority

pkcs11:id=%4B%3C%8C%1D%85%E9%6F%AD;type=cert
    type: certificate
    label: A-Trust-Qual-01
    trust: anchor
    category: authority
...

Note that each certificate in the system trust is allocated a pkcs11:id value that can be used to identify a particular certificate for other trust operations.

Adding a Certificate as a Trust Anchor

To add a certificate to the system trust anchors, run:
sudo trust anchor /path/to/public.cert
Substitute /path/to/public.cert with the path to the certificate file that you wish to add to the system trust.

When you run this command, the certificate is added to the /etc/pki/ca-trust/source/ directory and the system trust is refreshed. The certificate is immediately trusted as an anchor.

Typically, you only add certificates from providers that you trust and which aren't already available in the system trust. You can also add self-signed certificates that you might generate for demonstration purposes or for particular internal or developer tooling.

Removing a Certificate From the System Trust Anchors

To remove a certificate from the system trust anchors, run:

sudo trust anchor --remove pkcs11:id=<ID>
Use the matching pkcs11:id value to provide the <ID> of the certificate that you want to remove. Alternately, if you have a copy of the certificate available, run:
sudo trust anchor --remove /path/to/public.cert
The system trust store is updated immediately.

Manually Updating Trusted Certificates

You can manually add a certificate to the system trust store by copying the certificate to either the /usr/share/pki/ca-trust-source/anchors/ or /etc/pki/ca-trust/source/anchors/ directories. This operation doesn't have immediate effect and you must run the update-ca-trust command to refresh the system trust store after you make manual updates to these directories.

For example:
sudo cp /path/to/public.cert /etc/pki/ca-trust/source/anchors
sudo update-ca-trust

See the update-ca-trust(8) manual page for more information.