28 lines
1.3 KiB
Plaintext
28 lines
1.3 KiB
Plaintext
|
This directory /usr/share/pki/ca-trust-source/ contains CA certificates and
|
||
|
trust settings in the PEM file format. The trust settings found here will be
|
||
|
interpreted with a low priority, lower than the ones found in
|
||
|
/etc/pki/ca-trust/source.
|
||
|
|
||
|
You may install additional certificates or bundles into this directory.
|
||
|
|
||
|
Each file may contain one or many certificates and trust flags in a
|
||
|
PEM file format, as documented in the x509(1) manual page.
|
||
|
Allowed formats are:
|
||
|
- The BEGIN/END CERTIFICATE file format.
|
||
|
Such certificates will be trusted for TLS server auth, only.
|
||
|
- The BEGIN/END TRUSTED CERTIFICATE file format.
|
||
|
Such certificates will be trusted or distrusted according to the
|
||
|
trust settings contained in the PEM format data blocks.
|
||
|
|
||
|
Applications that are able to use PKCS#11 modules can dynamically use
|
||
|
the merged set of certificates from
|
||
|
/usr/share/pki/ca-trust-source/ and /etc/pki/ca-trust/source
|
||
|
by loading p11-kit-trust.so
|
||
|
|
||
|
Applications that rely on a static file for a list of trusted CAs
|
||
|
may load one of the files found in the /etc/pki/ca-trust/extracted
|
||
|
directory. After modifying the set of files stored in the
|
||
|
/usr/share/pki/ca-trust-source/ or /etc/pki/ca-trust/source
|
||
|
are modified, it is required to run the ca-update-trust command,
|
||
|
in order to update the merged files in /etc/pki/ca-trust/extracted .
|