Linux update CA certificates

最後更新: 2017-06-01

 


Ubuntu

update-ca-certificates

Centos 6

update-ca-trust - manage consolidated and dynamic configuration of CA certificates and associated trust

for new applications that read the consolidated configuration files found in the /etc/pki/ca-trust/extracted directory or

that load the PKCS#11 module p11-kit-trust.so

# Install

yum install ca-certificates

# 獲得: update-ca-trust

# Source: /usr/share/pki/ca-trust-source/   <-- contain CA certificates and trust settings in the PEM file format. (low priority)

# /etc/pki/ca-trust/source/  <-- high priority

Usage

To add a certificate in the simple PEM or DER file formats to the list of CAs trusted on the system:

1. add it as a new file to directory /etc/pki/ca-trust/source/anchors/

2. update-ca-trust extract

FILES

/etc/pki/tls/certs/ca-bundle.crt                 # simple BEGIN/END CERTIFICATE file format

/etc/pki/tls/certs/ca-bundle.trust.crt         # extended BEGIN/END TRUSTED CERTIFICATE file format

/etc/pki/ca-trust/extracted                       # created using the "update-ca-trust extract"

 


Folder

 

# simple trust anchors subdirectory:

/usr/share/pki/ca-trust-source/anchors/
/etc/pki/ca-trust/source/anchors/                              # '/etc' override any other default configuration

# extended format directory:

/usr/share/pki/ca-trust-source/
/etc/pki/ca-trust/source/

# /etc/pki/ca-trust/extracted/

Contains consolidated and automatically generated configuration files for consumption by applications,

which are created using the "update-ca-trust extract" command.

If your certificate is in the extended "BEGIN TRUSTED" file format

(which may contain distrust/blacklist trust flags, or trust flags for usages other than TLS) then:

add it as a new file to directory /etc/pki/ca-trust/source/

 


Centos 7 add trusted certificate

 

方法 1

yum install ca-certificates

update-ca-trust

方法 2

當"方法 1" 唔 work 時, 就要用以下方案

To add a certificate in the simple PEM or DER file formats to the list of CAs trusted on the system:

cp foo.crt /etc/pki/ca-trust/source/anchors/
cp foo.ca-bundle.crt /etc/pki/ca-trust/source/anchors/

update-ca-trust extract