"trust anchor" - Add and Remove Certificates.

PKI Certificate Tutorials - Herong's Tutorial Examples

∟"trust anchor" - Add and Remove Certificates.

This section provides tutorial examples on adding and removing certificate information in Linux Trust Store using the 'trust anchor' command.

According to the documentation, you should be able to add or remove CA certificates in the Linux Trust Store with the "trust anchor" command.

Let's try to remove an existing certificate on my Ubuntu 18 computer:

# get the  PKCS#11 URI of the certificate 
herong$ trust list | grep -B 3 -A 3 "DigiCert Global Root CA"

pkcs11:id=%03%de%50%35%56%d1%4c%bb%66%f0%a3%e2%1b%1b%c3%97%b2%3d%d1%55;type=cert
    type: certificate
    label: DigiCert Global Root CA
    trust: anchor
    category: authority

# save a copy of the certificate 
herong$ trust extract --format=openssl-bundle \
  --filter="pkcs11:id=%03%de%50%35%56%d1%4c%bb%66%f0%a3%e2%1b%1b%c3%97%b2%3d%d1%55;type=cert" \
  DigiCert-Global-Root-CA.pem 

# remove it from the Trust Store 
sudo trust anchor --remove -v \
  "pkcs11:id=%03%de%50%35%56%d1%4c%bb%66%f0%a3%e2%1b%1b%c3%97%b2%3d%d1%55;type=cert"

  (p11-kit:11800) remove_all: removing certificate: 48
  p11-kit: couldn't remove read-only certificate

Unfortunately, the operation failed. The Trust Store on my Ubuntu 18 computer is configured as read-only by default. I am not able to remove any certificates with the "trust" command.

Now let's try to add a new certificate:

herong$ more ZZ-Root-CA.crt 

-----BEGIN CERTIFICATE-----
MIIB+zCCAYKgAwIBAgIJAIZgMcdaWuMDMAkGByqGSM49BAEwIjELMAkGA1UEBhMC
WloxEzARBgNVBAMTClpaIFJvb3QgQ0EwHhcNMjQxMTI0MTMwNzA4WhcNMjQxMjI0
MTMwNzA4WjAiMQswCQYDVQQGEwJaWjETMBEGA1UEAxMKWlogUm9vdCBDQTB2MBAG
... 

sudo trust anchor --store -v ZZ-Root-CA.crt 

  p11-kit:11843) files_to_attrs: parsed file: ZZ-Root-CA.crt
  p11-kit: no configured writable location to store anchors

Again, the Trust Store on my Ubuntu 18 computer is configured as read-only by default. I am not able to add any certificates with the "trust" command.

Instead of using the "trust" command, you can actually use other tools to manage the Trust Store. For example:

Use "update-ca-certificates" command on Ubuntu computers, see the ca-certificates - Linux CA Certificate Package chapter.
Use "update-ca-trust" command on Red Hat-based computers (like RHEL, CentOS, and Fedora), see the update-ca-trust Command on Red Hat Computers chapter.