update-ca-trust Command on CentOS

PKI Tutorials - Herong's Tutorial Examples

∟update-ca-trust Command on CentOS

This section describes how to use the update-ca-trust Command to manage trusted root CA certificates on CentOS computers.

If you are using CentOS computers, you should the update-ca-trust command to manage trusted root CA certificates.

The update-ca-trust command uses 2 input directories to process new root CA certificates with low and high priorities:

/usr/share/pki/ca-trust-source/ - An input directory drop new root CA certificates to be interpreted with a low priority.
/etc/pki/ca-trust/source/ - An input directory where root CA certificates with distrust/blacklist trust flags are located. They will be

Depending on the certificate file format and trust status of the new certificate, you can drop it in the input directory at 3 places:

{input}/ - If the new certificate has a trust status included in the certificate file, drop it at the base of the input directory.
{input}/anchors/ - If the new certificate has no trust status included and you want it be trusted, drop it in the ./anchors/ subdirectory.
{input}/blacklist/ - If the new certificate has no trust status included and you want it be distrusted, drop it in the ./blacklist/ subdirectory.

Whenever new certificates are dropped in an input directory, you should run the "sudo update-ca-trust extract" command to update system root CA certificates in 4 directories using different formats:

/etc/pki/ca-trust/extracted/edk2/cacerts.bin - Root CA certificate file in EDK2 (EFI Development Kit II) format.
/etc/pki/ca-trust/extracted/java/cacerts - Root CA certificate file in JKS (Java KeyStore) format.
/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt - Root CA certificate file in PEM format with trust statuses included.
/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem - Root CA certificate file in PEM format without trust statuses. Distrusted certificates are not included in this file.

Maintaining root CA certificates in 4 different formats allows applications to select a format that matches their needs.

Here is the /etc/pki/ca-trust/extracted/ directory tree on a CentOS 8 computer with root CA certificates stored in 4 different formats:

herong$ ls -l /etc/pki/ca-trust/extracted/
  drwxr-xr-x. 2 root root  39 Dec 12  2022 edk2
  drwxr-xr-x. 2 root root  35 Dec 12  2022 java
  drwxr-xr-x. 2 root root  47 Dec 12  2022 openssl
  drwxr-xr-x. 2 root root 130 Aug 13  2024 pem

herong$ tree /etc/pki/ca-trust/extracted/
  |-- edk2
  |   |-- cacerts.bin
  |-- java
  |   |-- cacerts
  |-- openssl
  |   |-- ca-bundle.trust.crt
  |-- pem
  |   |-- email-ca-bundle.pem
  |   |-- objsign-ca-bundle.pem
  |   |-- tls-ca-bundle.pem
  |   |-- tls-ca-bundle.pem-bck

For older applications that read root CA certificates at the standard location of /etc/pki/tls/certs, 2 symbolic links are used to access root CA certificates in 2 different formats:

herong$ ls -l /etc/pki/tls/certs
  ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
  ca-bundle.trust.crt -> 
    /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt