What Is ca-certificates Package

PKI Certificate Tutorials - Herong's Tutorial Examples

∟ca-certificates - Linux CA Certificate Package

∟What Is ca-certificates Package

This section describes the 'ca-certificates' package, which installs trusted root CA certificates supporting SSL/TLS applications.

What Is ca-certificates Package? "ca-certificates" is a software package that contains trusted root CA certificates provided by Mozilla Foundation.

"ca-certificates" is usually pre-installed on most Linux systems like Debian, Ubuntu, and Red Hat distributions. Root CA certificates installed from "ca-certificates" allow SSL/TLS applications (curl, wget, git, etc.) to verify remote server certificate and establish encrypted connections.

To ensure security, it is highly recommended to keep "ca-certificates" updated, as Mozilla Foundation periodically adds and removes CA certificates. You can run package update commands as shown below:

# on Ubuntu
herong$ sudo apt install ca-certificates 
...
ca-certificates is already the newest version ...

# on Red Hat / CentOS
herong$ sudo dnf install ca-certificates
...
Package ca-certificates-2021.2.50-80.0.el8_4.noarch 
  is already installed.

After installation, trusted root CA certificates will be stored in 2 places:

1. /etc/ssl/certs/ca-certificates.crt - trusted root CA certificates in a single PEM bundle file for all applications to use.

herong$ ls -l /etc/ssl/certs/ca-certificates.crt

-rw-r--r-- 1 root root 208567 Dec 26 10:45 ca-certificates.crt

2. /usr/share/ca-certificates/mozilla/*.crt - trusted root CA certificates as individual PEM files for "update-ca-certificates" command to maintain the PEM bundle file.

herong$ ls -l /usr/share/ca-certificates/mozilla/*.crt

-rw-r--r-- 1 root root 2772 May 18  2023 ACCVRAIZ1.crt
-rw-r--r-- 1 root root 1972 May 18  2023 AC_RAIZ_FNMT-RCM.crt
...
-rw-r--r-- 1 root root 1911 May 18  2023 vTrus_Root_CA.crt
-rw-r--r-- 1 root root 1513 May 18  2023 XRamp_Global_CA_Root.crt