PKI Certificate Tutorials - Herong's Tutorial Examples

∟update-ca-trust Command on Red Hat Computers

∟/etc/pki/ Directory and Symbolic Links

This section describes the /etc/pki/ directory holding CA certificates in different formats for different types of applications.

New versions of Linux computers are using the /etc/pki/ directory to store CA certificates and related information for all applications. Here is an example on my CentOS 8 computer:

herong$ ls -l /etc/pki/ 

drwxr-xr-x. 4 root   root    73 May 11  2022 ca-trust
  - Used by "update-ca-trust" for the Trust Store 

drwxr-xr-x. 4 root   root    61 May 11  2022 dovecot
  - Server certificates for the Dovecot IMAP server

drwxr-xr-x. 2 root   root   111 May 11  2022 fwupd
drwxr-xr-x. 2 root   root   111 May 11  2022 fwupd-metadata
  - Used by the Firmware Update Daemon

drwxr-xr-x. 2 root   root    21 May 11  2022 java
  - Stores CA certificates in JKS (Java KeyStore) format

drwxr-xr-x. 2 root   root   103 Dec  3  2021 nssdb
  - Stores CA certificates for Firefox Chrome browsers

drwxr-xr-x. 5 root   root   104 May 11  2022 tls
  - Stores CA certificates for SSL/TLS applications

...

Since "update-ca-trust" command is used by maintain the official version of CA certificates with trust information, symbolic links are used to share the official version with different applications.

Here are some examples:

1. /etc/pki/java/cacerts - Link to the JKS (Java KeyStore) file containing only trusted CA certificates for Java applications. It is protected with the "changeit" password.

herong$ ls -l /etc/pki/java

cacerts -> /etc/pki/ca-trust/extracted/java/cacerts

2. /etc/pki/tls/cert.pem - Link to the the PEM bundle file containing only trusted CA certificates for SSL/TLS applications.

herong$ ls -l /etc/pki/tls

cert.pem -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem

3. /etc/pki/tls/certs/ca-bundle.crt - Link to the same file as /etc/pki/tls/cert.pem.

herong$ ls -l /etc/pki/tls/certs 

ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem

4. /etc/pki/tls/certs/ca-bundle.trust.crt - Link to the OpenSSL PEM bundle file containing all CA certificates with trust/distrust flags.

herong$ ls -l /etc/pki/tls/certs 

ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt

Symbolic link is also used to help older applications that reply on the /etc/ssl/certs directory for CA certificates as show below

herong$ ls -l /etc/ssl/certs
  /etc/ssl/certs -> ../pki/tls/certs

herong$ ls -l /etc/pki/tls/certs
   ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
   ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt

Table of Contents

 About This Book

 Introduction of PKI (Public Key Infrastructure)

 Introduction of PKI Certificate

 PKI Certificate File Formats

 OpenSSL - Cryptography Toolkit

 "openssl ca" - CA (Certificate Authority) Tool

 Java "keytool" Commands and KeyStore Files

 PKI Certificate Store

 PKCS12 Certificate Bundle File

 PKCS7 Certificate Chain File

 Linux Trust Store for CA Certificates

 ca-certificates - Linux CA Certificate Package

►update-ca-trust Command on Red Hat Computers

 What Is update-ca-trust Command

►/etc/pki/ Directory and Symbolic Links

 "update-ca-trust" to Add CA Certificate

 "update-ca-trust" to Remove CA Certificate

 "update-ca-trust" to Distrust CA Certificate

 "update-ca-trust" vs "trust" on Red Hat Computers

 PKI Certificate Related Terminology

 References

 Full Version in PDF/EPUB

/etc/pki/ Directory and Symbolic Links - Updated in 2026, by Herong Yang