PKI Certificate Tutorials - Herong's Tutorial Examples

∟update-ca-trust Command on Red Hat Computers

∟What Is update-ca-trust Command

This section describes what is 'update-ca-trust' - a system command to maintain certificate Trust Store on Red Hat-based (RHEL, CentOS, and Fedora) computers.

What Is "update-ca-trust" Command? "update-ca-trust" command (it's actually a shell script) is part of Red Hat-based (RHEL, CentOS, and Fedora) computers for you to maintain certificates in the Trust Store.

"update-ca-trust" command uses the /etc/pki/ca-trust directory to maintain Trust Store certificates as shown below:

herong$ tree /etc/pki/ca-trust

/etc/pki/ca-trust
|-- ca-legacy.conf
|-- extracted
|   |-- edk2
|   |   |-- cacerts.bin            # EDK2 (EFI Development Kit 2)
|   |   |-- README
|   |-- java
|   |   |-- cacerts                # JKS (Java KeyStore) format
|   |   |-- README
|   |-- openssl
|   |   |-- ca-bundle.trust.crt    # PEM bundle format
|   |   |-- README
|   |-- pem
|   |   |-- email-ca-bundle.pem    # email root CAs only  
|   |   |-- objsign-ca-bundle.pem  # object signing root CAs only
|   |   |-- README
|   |   |-- tls-ca-bundle.pem      # server auth root CAs only
|   |-- README
|-- README
|-- source                         # inbox for new CA certificate
    |-- anchors                    
    |-- blacklist
    |-- ca-bundle.legacy.crt -> 
        /usr/share/pki/ca-trust-legacy/ca-bundle.legacy.default.crt
    |-- README

Note that "update-ca-trust" command maintains root CA certificates in 4 different formats referred as extracted copies:

1. EDK2 (EFI Development Kit 2) Format - A copy of all root CA certificates stored in EDK2 format for UEFI applications. The file is located at /etc/pki/ca-trust/extracted/edk2/cacerts.bin.

2. JKS (Java KeyStore) Format - A copy of all root CA certificates stored in JKS format for Java applications. The file is located at /etc/pki/ca-trust/extracted/java/cacerts, protected by a password: "changeit".

3. PEM (Privacy Enhanced Mail) Format - A copy of all root CA certificates concatenated in PEM format for applications that uses the OpenSSL library. The file is located at /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt.

4. Root CA Certificates for Different Usages - Trusted root CA certificates are separated for different usages:

• Email Protect - Trusted root CA certificates for email protection in PEM format is located at /etc/pki/ca-trust/extracted/pem/email-ca-bundle.pem.
• Object Signing - Trusted root CA certificates for object signing in PEM format is located at /etc/pki/ca-trust/extracted/pem/objsign-ca-bundle.pem.
• TLS Authentication - Trusted root CA certificates for TLS authentication in PEM format is located at /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem.

Table of Contents

 About This Book

 Introduction of PKI (Public Key Infrastructure)

 Introduction of PKI Certificate

 PKI Certificate File Formats

 OpenSSL - Cryptography Toolkit

 "openssl ca" - CA (Certificate Authority) Tool

 Java "keytool" Commands and KeyStore Files

 PKI Certificate Store

 PKCS12 Certificate Bundle File

 PKCS7 Certificate Chain File

 Linux Trust Store for CA Certificates

 ca-certificates - Linux CA Certificate Package

►update-ca-trust Command on Red Hat Computers

►What Is update-ca-trust Command

 /etc/pki/ Directory and Symbolic Links

 "update-ca-trust" to Add CA Certificate

 "update-ca-trust" to Remove CA Certificate

 "update-ca-trust" to Distrust CA Certificate

 "update-ca-trust" vs "trust" on Red Hat Computers

 PKI Certificate Related Terminology

 References

 Full Version in PDF/EPUB

What Is update-ca-trust Command - Updated in 2026, by Herong Yang