"trust extract" - Extract Certificates from Linux Trust Store

PKI Certificate Tutorials - Herong's Tutorial Examples

∟"trust extract" - Extract Certificates from Linux Trust Store

This section provides tutorial examples on extracting certificates from Linux Trust Store using the 'trust extract' command.

If you want to extract specific certificates in the Linux Trust Store, you can use the "trust extract" command with there options:

trust extract --purpose=... --filter=... --format-... --overwrite {out}

where: 
  --purpose=...: same as the "trust list" command
  --filter=...: same as the "trust list" command
  --format=...: specifies one of the output formats:
    x509-file (DER file), 
    x509-directory (directory of DER files),
    pem-bundle (PEM bundle file), 
    pem-directory (directory of PEM files),
    pem-directory-hash (directory of PEM files with hash links),
    openssl-bundle (OpenSSL PEM bundle), 
    openssl-directory (directory of OpenSSL PEM files),
    and java-cacerts (JKS (Java KeyStore) file)
  --overwrite: overwrite existing files in the output directory 
  {out}: output file or directory

Here are some examples of extracting certificates from the Linux Trust Store.

1. Extract distrusted (blacklisted) certificates into an OpenSSL PEM bundle file:

herong$ trust extract --filter=blacklist --format=openssl-bundle \
  --overwrite openssl-bundle.pem

herong$ more openssl-bundle.pem
-----BEGIN TRUSTED CERTIFICATE-----
MIIFijCCA3KgAwIBAgIQD////////////////////zANBgkqhkiG9w0BAQUFADBf
MQswCQYDVQQGEwJOTDESMBAGA1UEChMJRGlnaU5vdGFyMRowGAYDVQQDExFEaWdp
Tm90YXIgUm9vdCBDQTEgMB4GCSqGSIb3DQEJARYRaW5mb0BkaWdpbm90YXIubmww
...

2. Extract code-signing certificates as individual PEM files:

herong$ trust extract --purpose=code-signing --format=pem-directory \
  --overwrite pem-files 

herong$ ls -l pem-files
  total 552
  ... 1517 May  9 11:29 AAA_Certificate_Services.pem
  ... 2772 May  9 11:29 ACCVRAIZ1.pem
  ... 1972 May  9 11:29 AC_RAIZ_FNMT-RCM.pem
  ...  904 May  9 11:29 AC_RAIZ_FNMT-RCM_SERVIDORES_SEGUROS.pem
  ... 2049 May  9 11:29 Actalis_Authentication_Root_CA.pem
...

3. Extract a given certificate in PEM format with hash symbolic links. I see 2 links for a single certificate. I am not sure where the second hash 399e7759 came from.

herong$ trust extract \
  --filter="pkcs11:id=%03%DE%50%35%56%D1%4C%BB%66%F0%A3%E2%1B%1B%C3%97%B2%3D%D1%55;type=cert" \
  --format=pem-directory-hash --overwrite pem-hash 

herong$ ls -l pem-files
  total 4
  ...   27 May  9 11:33 3513523f.0 -> DigiCert_Global_Root_CA.pem
  ...   27 May  9 11:33 399e7759.0 -> DigiCert_Global_Root_CA.pem
  ... 1338 May  9 11:33 DigiCert_Global_Root_CA.pem

herong$ openssl x509 -hash -noout -in pem-hash/DigiCert_Global_Root_CA.pem 
  3513523f

4. Extract some certificates into a JKS (Java KeyStore) file with "changeit" as the default password.

herong$ trust extract --filter=trust-policy \
  --format=java-cacerts --overwrite -v root-cert.jks 
 
  p11-kit: format does not support trust policy

herong$ trust extract --filter=ca-anchors \
  --format=java-cacerts --overwrite -v root-cert.jks 

  p11-kit: format requires a purpose, specify it with --purpose; ...

herong$ trust extract --purpose=email \
  --format=java-cacerts --overwrite -v email-cert.jks 

herong$ keytool -list -keystore email-cert.jks -storepass changeit
  Keystore type: JKS
  Keystore provider: SUN

  Your keystore contains 138 entries

  amazonrootca4, 9 May 2026, trustedCertEntry, 
  Certificate fingerprint (SHA-256): E3:5D:28:41:9E:D0:20:25:CF:
  anfsecureserverrootca, 9 May 2026, trustedCertEntry, 
  Certificate fingerprint (SHA-256): FB:8F:EC:75:91:69:B9:10:6B:
  atostrustedroot2011, 9 May 2026, trustedCertEntry, 
  Certificate fingerprint (SHA-256): F3:56:BE:A2:44:B7:A9:1E:B3:
  ...