PKI Certificate Tutorials - Herong's Tutorial Examples

∟Linux Trust Store for CA Certificates

∟Directory and Files of Linux Trust Store

This section provides tutorial examples on extracting certificates from Linux Trust Store using the 'trust extract' command.

What Is Linux Trust Store? Linux Trust Store is a collection of root CA certificates with trust information stored at a central location on Linux computers.

Linux Trust Store is located at /etc/ssl/certs on most Linux computers. as certificate bundle files or individual certificate files. It may contain certificate bundle files or individual certificate files in different file formats.

Here are some examples:

Trust Store on Ubuntu 18

herong$ tree /etc/ssl/certs

/etc/ssl/certs
|-- 002c0b4f.0 -> GlobalSign_Root_R46.pem
|-- 02265526.0 -> Entrust_Root_Certification_Authority_-_G2.pem
|-- 062cdee6.0 -> GlobalSign_Root_CA_-_R3.pem
... 
|-- GlobalSign_Root_R46.pem 
    -> /usr/share/ca-certificates/mozilla/GlobalSign_Root_R46.crt
|-- GLOBALTRUST_2020.pem 
    -> /usr/share/ca-certificates/mozilla/GLOBALTRUST_2020.crt
|-- Go_Daddy_Class_2_CA.pem 
    -> /usr/share/ca-certificates/mozilla/Go_Daddy_Class_2_CA.crt
... 
|-- ca-certificates.crt
|-- java
    |-- cacerts

Notes on the output:

• The Trust Store has individual certificate in PEM format stored in /usr/share/ca-certificates/mozilla/ directory.
• Each certificate PEM file also has symbolic link with the hash value of its subject CN as the link name.
• All certificates are stored in a single PEM bundle file at /etc/ssl/certs/ca-certificates.crt.
• All certificates are also stored in a single JKS (Java KeyStore) file at /etc/ssl/certs/java/cacerts.

Trust Store on CentOS 8

herong$ tree /etc/ssl/certs

/etc/ssl/certs
|-- ca-bundle.crt 
    -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
|-- ca-bundle.trust.crt 
    -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt

Notes on the output:

• Trusted CA certificates are stored in a PEM bundle file at /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem with a symbolic link of /etc/ssl/certs/ca-bundle.crt.
• Trusted and distrusted CA certificates are stored in an OpenSSL PEM bundle file at /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt with a symbolic link of /etc/ssl/certs/ca-bundle.trust.crt.

Table of Contents

 About This Book

 Introduction of PKI (Public Key Infrastructure)

 Introduction of PKI Certificate

 PKI Certificate File Formats

 OpenSSL - Cryptography Toolkit

 "openssl ca" - CA (Certificate Authority) Tool

 Java "keytool" Commands and KeyStore Files

 PKI Certificate Store

 PKCS12 Certificate Bundle File

 PKCS7 Certificate Chain File

►Linux Trust Store for CA Certificates

►Directory and Files of Linux Trust Store

 "trust" Command to Manage Linux Trust Store

 "trust list" - Search Certificates in Linux Trust Store

 "trust extract" - Extract Certificates from Linux Trust Store

 "trust dump" - Dump Information from Linux Trust Store

 "trust anchor" - Add and Remove Certificates.

 ca-certificates - Linux CA Certificate Package

 update-ca-trust Command on Red Hat Computers

 PKI Certificate Related Terminology

 References

 Full Version in PDF/EPUB

Directory and Files of Linux Trust Store - Updated in 2026, by Herong Yang