2013-03-08 23:09:26 +00:00
|
|
|
This directory /usr/share/pki/ca-trust-source/ contains CA certificates and
|
|
|
|
trust settings in the PEM file format. The trust settings found here will be
|
2013-03-23 23:36:13 +00:00
|
|
|
interpreted with a low priority - lower than the ones found in
|
|
|
|
/etc/pki/ca-trust/source/ .
|
2013-03-08 23:09:26 +00:00
|
|
|
|
2013-03-23 23:36:13 +00:00
|
|
|
=============================================================================
|
|
|
|
QUICK HELP: To add a certificate in the simple PEM or DER file formats to the
|
|
|
|
list of CAs trusted on the system:
|
2013-03-08 23:09:26 +00:00
|
|
|
|
2013-03-23 23:36:13 +00:00
|
|
|
Copy it to the
|
|
|
|
/usr/share/pki/ca-trust-source/anchors/
|
|
|
|
subdirectory, and run the
|
|
|
|
update-ca-trust
|
|
|
|
command.
|
2013-03-08 23:09:26 +00:00
|
|
|
|
2013-03-23 23:36:13 +00:00
|
|
|
If your certificate is in the extended BEGIN TRUSTED file format,
|
|
|
|
then place it into the main source/ directory instead.
|
|
|
|
=============================================================================
|
|
|
|
|
|
|
|
Description of the source directory and its subdirectories:
|
|
|
|
-----------------------------------------------------------
|
|
|
|
In order to offer simplicity and flexibility, the way certificate files
|
|
|
|
are treated depend on the subdirectory they are installed to.
|
|
|
|
|
|
|
|
trust anchors subdirectory : /usr/share/pki/ca-trust-source/anchors/
|
|
|
|
extended format directory : /usr/share/pki/ca-trust-source/
|
|
|
|
blacklist subdirectory : /usr/share/pki/ca-trust-source/blacklist/
|
|
|
|
|
|
|
|
In the main directory /usr/share/pki/ca-trust-source/
|
|
|
|
you may install one or multiple files in the following file formats:
|
|
|
|
- certificate files that include trust flags,
|
|
|
|
in the BEGIN/END TRUSTED CERTIFICATE file format
|
|
|
|
(any file name), which have been created using the openssl x509 tool
|
|
|
|
and the -addreject -addtrust options.
|
|
|
|
Bundle files with multiple certificates are supported.
|
|
|
|
- files in the p11-kit file format using the .p11-kit file
|
|
|
|
extension, which can (e.g.) be used to distrust certificates
|
|
|
|
based on serial number and issuer name, without having the
|
|
|
|
full certificate available.
|
|
|
|
(This is currently an undocumented format, to be extended later.
|
|
|
|
For an example of a distrusted certificate, see the files
|
|
|
|
shipped with the ca-certificates package.)
|
|
|
|
- certificate files without trust flags in either the DER file format or in
|
|
|
|
the PEM (BEGIN/END CERTIFICATE) file format (any file name). Such files
|
|
|
|
will be added with neutral trust, neither trusted nor distrusted.
|
|
|
|
They will simply be known to the system, which might be helpful to
|
|
|
|
assist cryptographic software in constructing chains of certificates.
|
|
|
|
(If you want a CA certificate in these file formats to be trusted, you
|
|
|
|
should remove it from this directory and copy it to the
|
|
|
|
./anchors subdirectory instead.)
|
|
|
|
|
|
|
|
In the anchors subdirectory: /usr/share/pki/ca-trust-source/anchors/
|
|
|
|
you may install one or multiple certificates in either the DER file
|
|
|
|
format or in the PEM (BEGIN/END CERTIFICATE) file format.
|
|
|
|
Each certificate will be treated as *trusted* for all purposes.
|
|
|
|
|
|
|
|
In the blacklist subdirectory: /usr/share/pki/ca-trust-source/blacklist/
|
|
|
|
you may install one or multiple certificates in either the DER file
|
|
|
|
format or in the PEM (BEGIN/END CERTIFICATE) file format.
|
|
|
|
Each certificate will be treated as *distrusted* for all purposes.
|
|
|
|
|
|
|
|
Please refer to the x509(1) manual page for the documentation of the
|
|
|
|
BEGIN/END CERTIFICATE
|
|
|
|
and
|
|
|
|
BEGIN/END TRUSTED CERTIFICATE
|
|
|
|
file formats.
|
|
|
|
|
|
|
|
|
|
|
|
Purpose:
|
|
|
|
--------
|
|
|
|
Applications that are able to use PKCS#11 modules can load the
|
|
|
|
p11-kit-trust.so module and will benefit from the dynamically merged
|
|
|
|
set of certificates and trust information stored in the
|
|
|
|
/usr/share/pki/ca-trust-source/ and /etc/pki/ca-trust/source/
|
|
|
|
directories.
|
2013-03-08 23:09:26 +00:00
|
|
|
|
|
|
|
Applications that rely on a static file for a list of trusted CAs
|
|
|
|
may load one of the files found in the /etc/pki/ca-trust/extracted
|
2013-03-23 23:36:13 +00:00
|
|
|
directory. After modifying any file stored in the
|
|
|
|
/usr/share/pki/ca-trust-source/ or /etc/pki/ca-trust/source/
|
2013-05-27 13:28:11 +00:00
|
|
|
directories, it is required to run the update-ca-trust command,
|
2013-03-23 23:36:13 +00:00
|
|
|
in order to update the merged files in /etc/pki/ca-trust/extracted/ .
|