The Mozilla CA root certificate bundle
Go to file
Kai Engert b2e71a9f9a * Mon Apr 22 2013 Kai Engert <kaie@redhat.com> - 2012.87-12
- Use both label and serial to identify cert during conversion, rhbz#927601
- Add myself as contributor to certdata2.pem.py and remove use of rcs/ident.
  (thanks to Michael Shuler for suggesting to do so)
- Update source URLs and comments, add source file for version information.
2013-04-22 14:58:59 +02:00
.gitignore update to r1.78, removing trust from DigiNotar root (#734679) 2011-09-01 14:36:45 +01:00
blacklist.txt * Fri Jan 04 2013 Paul Wouters <pwouters@redhat.com> - 2012.87-1 2013-01-04 12:50:54 -05:00
ca-certificates.spec * Mon Apr 22 2013 Kai Engert <kaie@redhat.com> - 2012.87-12 2013-04-22 14:58:59 +02:00
certdata2pem.py * Mon Apr 22 2013 Kai Engert <kaie@redhat.com> - 2012.87-12 2013-04-22 14:58:59 +02:00
certdata.txt * Fri Jan 04 2013 Paul Wouters <pwouters@redhat.com> - 2012.87-1 2013-01-04 12:50:54 -05:00
fetch.sh - update to r1.65 2010-11-09 08:24:29 +00:00
generate-cacerts.pl update to r1.80 2011-11-09 14:36:15 -08:00
nssckbi.h * Mon Apr 22 2013 Kai Engert <kaie@redhat.com> - 2012.87-12 2013-04-22 14:58:59 +02:00
README.etc * Fri Mar 08 2013 Kai Engert <kaie@redhat.com> - 2012.87-9 2013-03-09 00:09:26 +01:00
README.extr * Fri Mar 08 2013 Kai Engert <kaie@redhat.com> - 2012.87-9 2013-03-09 00:09:26 +01:00
README.java * Fri Mar 08 2013 Kai Engert <kaie@redhat.com> - 2012.87-9 2013-03-09 00:09:26 +01:00
README.openssl * Fri Mar 08 2013 Kai Engert <kaie@redhat.com> - 2012.87-9 2013-03-09 00:09:26 +01:00
README.pem * Fri Mar 08 2013 Kai Engert <kaie@redhat.com> - 2012.87-9 2013-03-09 00:09:26 +01:00
README.src * Tue Mar 19 2013 Kai Engert <kaie@redhat.com> - 2012.87-11 2013-03-24 00:36:13 +01:00
README.usr * Tue Mar 19 2013 Kai Engert <kaie@redhat.com> - 2012.87-11 2013-03-24 00:36:13 +01:00
sources Setup of module ca-certificates 2008-05-30 20:08:46 +00:00
trust-fixes * Tue Mar 19 2013 Kai Engert <kaie@redhat.com> - 2012.87-11 2013-03-24 00:36:13 +01:00
update-ca-trust * Fri Mar 08 2013 Kai Engert <kaie@redhat.com> - 2012.87-9 2013-03-09 00:09:26 +01:00

This directory /usr/share/pki/ca-trust-source/ contains CA certificates and 
trust settings in the PEM file format. The trust settings found here will be
interpreted with a low priority - lower than the ones found in 
/etc/pki/ca-trust/source/ .

=============================================================================
QUICK HELP: To add a certificate in the simple PEM or DER file formats to the
            list of CAs trusted on the system:

            Copy it to the
                    /usr/share/pki/ca-trust-source/anchors/
            subdirectory, and run the
                    update-ca-trust
            command.

            If your certificate is in the extended BEGIN TRUSTED file format,
            then place it into the main source/ directory instead.
=============================================================================

Description of the source directory and its subdirectories:
-----------------------------------------------------------
In order to offer simplicity and flexibility, the way certificate files
are treated depend on the subdirectory they are installed to.

  trust anchors subdirectory : /usr/share/pki/ca-trust-source/anchors/
  extended format directory  : /usr/share/pki/ca-trust-source/
  blacklist subdirectory     : /usr/share/pki/ca-trust-source/blacklist/

In the main directory /usr/share/pki/ca-trust-source/
you may install one or multiple files in the following file formats:
- certificate files that include trust flags,
  in the BEGIN/END TRUSTED CERTIFICATE file format
  (any file name), which have been created using the openssl x509 tool
  and the -addreject -addtrust options.
  Bundle files with multiple certificates are supported.
- files in the p11-kit file format using the .p11-kit file
  extension, which can (e.g.) be used to distrust certificates
  based on serial number and issuer name, without having the
  full certificate available.
  (This is currently an undocumented format, to be extended later.
   For an example of a distrusted certificate, see the files
   shipped with the ca-certificates package.)
- certificate files without trust flags in either the DER file format or in
  the PEM (BEGIN/END CERTIFICATE) file format (any file name). Such files 
  will be added with neutral trust, neither trusted nor distrusted.
  They will simply be known to the system, which might be helpful to
  assist cryptographic software in constructing chains of certificates.
  (If you want a CA certificate in these file formats to be trusted, you 
   should remove it from this directory and copy it to the 
   ./anchors subdirectory instead.)

In the anchors subdirectory: /usr/share/pki/ca-trust-source/anchors/
you may install one or multiple certificates in either the DER file
format or in the PEM (BEGIN/END CERTIFICATE) file format.
Each certificate will be treated as *trusted* for all purposes.

In the blacklist subdirectory: /usr/share/pki/ca-trust-source/blacklist/
you may install one or multiple certificates in either the DER file
format or in the PEM (BEGIN/END CERTIFICATE) file format.
Each certificate will be treated as *distrusted* for all purposes.

Please refer to the x509(1) manual page for the documentation of the
  BEGIN/END CERTIFICATE
and 
  BEGIN/END TRUSTED CERTIFICATE
file formats.


Purpose:
--------
Applications that are able to use PKCS#11 modules can load the 
p11-kit-trust.so module and will benefit from the dynamically merged
set of certificates and trust information stored in the
/usr/share/pki/ca-trust-source/ and /etc/pki/ca-trust/source/
directories.

Applications that rely on a static file for a list of trusted CAs
may load one of the files found in the /etc/pki/ca-trust/extracted
directory. After modifying any file stored in the
/usr/share/pki/ca-trust-source/ or /etc/pki/ca-trust/source/
directories, it is required to run the ca-update-trust command,
in order to update the merged files in /etc/pki/ca-trust/extracted/ .