PKI Certificate Tutorials - Herong's Tutorial Examples

∟Linux Trust Store for CA Certificates

∟"trust" Command to Manage Linux Trust Store

This section describes the 'trust' command from the 'p11-kit' package to manage the Linux Trust Store.

What Is "trust" Command? "trust" command is provided by the p11-kit package for you to manage the Linux Trust Store. It provides 4 sub-commands:

• "trust list" - Display information of root CA certificates of a given criteria from the Trust Store.
• "trust extract" - Extract root CA certificates of a given criteria from the Trust Store and output them in a given format.
• "trust anchor" - Add or remove a root CA certificates to/from the Trust Store.
• "trust dump" - Dump detailed information of root CA certificates of a given criteria from the Trust Store.

Here is an example of using the "trust" command to list all root CA certificates in the Trust Store.

herong$ trust list

pkcs11:id=%D2%87%B4%E3%DF%37%27%93%55%F6%56%EA%81%E5%36%CC%8C%1E%3F%BD;type=cert
    type: certificate
    label: ACCVRAIZ1
    trust: anchor
    category: authority
...

pkcs11:id=%03%DE%50%35%56%D1%4C%BB%66%F0%A3%E2%1B%1B%C3%97%B2%3D%D1%55;type=cert
    type: certificate
    label: DigiCert Global Root CA
    trust: anchor
    category: authority
...

pkcs11:id=%88%68%BF%E0%8E%35%C4%3B%38%6B%62%F7%28%3B%84%81%C8%0C%D7%4D;type=cert
    type: certificate
    label: Explicitly Distrust DigiNotar Root CA
    trust: blacklisted
    category: authority
...

Each root CA certificate in the Trust Store is presented with 4 properties:

• pkcs11:id=%88%68%BF%E0%8E%35...;type=cert - PKCS#11 URI to identify the root CA certificate.
• type: certificate - This is a certificate, not any other cryptographic objects.
• label: DigiCert Global Root CA - CN (Common Name) of the subject in the certificate.
• trust: anchor | blacklisted - Trust information: anchor=trusted, blacklisted=distrusted.
• category: authority - This certificate represents a certificate authority.

Note that the "id" component of the PKCS#11 URI actually contains the Subject Key ID of the certificate. For example:

id of PKCS#11 URI:
  %03%DE%50%35%56%D1%4C%BB%66%F0%A3%E2%1B%1B%C3%97%B2%3D%D1%55

Subject Key ID: 
   03:DE:50:35:56:D1:4C:BB:66:F0:A3:E2:1B:1B:C3:97:B2:3D:D1:55

Visit https://manpages.ubuntu.com/manpages/focal/man1/trust.1.html for more details on the "trust" command.

Visit https://p11-glue.github.io/p11-glue/p11-kit.html for more details on the "p11-kit" package.

Table of Contents

 About This Book

 Introduction of PKI (Public Key Infrastructure)

 Introduction of PKI Certificate

 PKI Certificate File Formats

 OpenSSL - Cryptography Toolkit

 "openssl ca" - CA (Certificate Authority) Tool

 Java "keytool" Commands and KeyStore Files

 PKI Certificate Store

 PKCS12 Certificate Bundle File

 PKCS7 Certificate Chain File

►Linux Trust Store for CA Certificates

 Directory and Files of Linux Trust Store

►"trust" Command to Manage Linux Trust Store

 "trust list" - Search Certificates in Linux Trust Store

 "trust extract" - Extract Certificates from Linux Trust Store

 "trust dump" - Dump Information from Linux Trust Store

 "trust anchor" - Add and Remove Certificates.

 ca-certificates - Linux CA Certificate Package

 update-ca-trust Command on Red Hat Computers

 PKI Certificate Related Terminology

 References

 Full Version in PDF/EPUB

"trust" Command to Manage Linux Trust Store - Updated in 2026, by Herong Yang