PKI Certificate Tutorials - Herong's Tutorial Examples - v1.13, by Herong Yang
"update-ca-certificates" vs "trust" on Debian/Ubuntu Computers
This section describes the differences between 'update-ca-certificates' and 'trust' commands on Debian/Ubuntu computers.
Based on previous tutorials, we learned that you need to use 2 commands together on Debian and Ubuntu computers to manage the Trust store:
1. "update-ca-certificates" - Allows you to add CA certificates in the Trust Store by placing them in the /usr/share/ca-certificates/ directory and adjust trust flag in the /etc/ca-certificates.conf file.
2. "trust" from the p11-kit package - Allows you to search, view, or export CA certificates from the Trust Store. The "add" and "remove" functions on "trust" are turned off.
To comfirm this understanding, let's refresh the Trust Store with the "update-ca-certificates" command, count the total certificates with "trust" command, then verify the count.
# on a Ubuntu 18 computer
herong# sudo update-ca-certificates
herong$ trust list --filter=trust-policy | grep certificate | wc
138 276 3036
herong$ grep BEGIN /etc/ssl/certs/ca-certificates.crt | wc
138 276 3864
Table of Contents
Introduction of PKI (Public Key Infrastructure)
Introduction of PKI Certificate
OpenSSL - Cryptography Toolkit
"openssl ca" - CA (Certificate Authority) Tool
Java "keytool" Commands and KeyStore Files
PKCS12 Certificate Bundle File
Linux Trust Store for CA Certificates
►ca-certificates - Linux CA Certificate Package
What Is ca-certificates Package
What Is ca-certificates-java Package
What Is ca-certificates-mono Package
"update-ca-certificates" to Add CA Certificate
"update-ca-certificates" to Disable CA Certificate
►"update-ca-certificates" vs "trust" on Debian/Ubuntu Computers
update-ca-trust Command on Red Hat Computers