ca-synch — tool for maintaining the system CA database
ca-synch
ca-trust
[[--trust
uses
] | [--distrust
uses
]] {/path/to/cert.crt}
/usr/share/ca-certificates
/etc/pki/tls/override
/etc/pki/tls/ca-bundle.crt
/etc/pki/tls/ca-bundle.d
The ca-tool suite is used to maintain
the system CA certificate database. The inputs are the
"source" and "override" directory as described above. The
output state comprises the flat file
ca-bundle.crt
and a directory in OpenSSL
hash format.
The ca-synch program updates the output state the given the current inputs. It takes no arguments.
The ca-trust program can be used to
alter the current input state. Trusted or distrusted uses
must be passed using the --trust
or
--distrust
options, which take a
comma-separate list of any of the following trusted
uses:
serverAuth
clientAuth
email
codeSigning
The following will import a certificate "ca1.crt" into the override directory, setting the .
# ca-trust --trust serverAuth --distrust codeSigning ~/ca1.crt
The following will mark the given CA certificate as distrusted.
# ca-trust --distrust serverAuth /usr/share/ca-certificates/ValiCert_Class_1_VA:2.1.1.crt