ca-tool
Prev ca-tool 

Name

ca-synch — tool for maintaining the system CA database

Synopsis

ca-synch

ca-trust [[--trust uses] | [--distrust uses]] {/path/to/cert.crt}

Files

/usr/share/ca-certificates
Input: Source directory, containing default set of system trusted CA certificates, in PEM "TRUSTED CERTIFICATE" format.
/etc/pki/tls/override
Input: Override directory, containing any new certificates, or copies of system certificates with different trust attributes.
/etc/pki/tls/ca-bundle.crt
Output: flat file in PEM plain "CERTIFICATE" format of all CAs trusted to issue SSL server certicates.
/etc/pki/tls/ca-bundle.d
Output: directory in OpenSSL hash format, symlinks to certificates in PEM "TRUSTED CERTIFICATE" format of all CAs in the database.

Overview

The ca-tool suite is used to maintain the system CA certificate database. The inputs are the "source" and "override" directory as described above. The output state comprises the flat file ca-bundle.crt and a directory in OpenSSL hash format.

Description

The ca-synch program updates the output state the given the current inputs. It takes no arguments.

The ca-trust program can be used to alter the current input state. Trusted or distrusted uses must be passed using the --trust or --distrust options, which take a comma-separate list of any of the following trusted uses:

serverAuth
Trusted for signing SSL server certificates.
clientAuth
Trusted for signing SSL client certificates.
email
Trusted for e-mail signing.
codeSigning
Trusted for code (object) signing.

Examples

The following will import a certificate "ca1.crt" into the override directory, setting the .

# ca-trust --trust serverAuth --distrust codeSigning ~/ca1.crt

The following will mark the given CA certificate as distrusted.

# ca-trust --distrust serverAuth /usr/share/ca-certificates/ValiCert_Class_1_VA:2.1.1.crt
Prev Up 
ca-tool Home