Linux update CA certificates

最後更新: 2017-06-01


  • Ubuntu
  • Centos 6
  • Folder
  • Centos 7






Centos 6


update-ca-trust - manage consolidated and dynamic configuration of CA certificates and associated trust

for new applications that read the consolidated configuration files found in the /etc/pki/ca-trust/extracted directory or

that load the PKCS#11 module

# Install

yum install ca-certificates

# 獲得: update-ca-trust

# /usr/share/pki/ca-trust-source/   <-- contain CA certificates and trust settings in the PEM file format. (low priority)

# /etc/pki/ca-trust/source/            <-- High priority than "/usr/share/pki/ca-trust-source/"


# To add a certificate in the simple PEM or DER file formats to the list of CAs trusted on the system:

1. add it as a new pem file to directory

cp my.pem /etc/pki/ca-trust/source/anchors



3. 在 /etc/pki/ca-trust/extracted/ 建立 file

update-ca-trust extract

Files(Output File)

"update-ca-trust" 就是更新它們

/etc/pki/tls/certs/ca-bundle.crt                 # simple BEGIN/END CERTIFICATE file format

# COMODO RSA Certification Authority


/etc/pki/tls/certs/         # extended BEGIN/END TRUSTED CERTIFICATE file format

/etc/pki/ca-trust/extracted                       # Created using the "update-ca-trust extract"

ls /etc/pki/ca-trust/extracted

java  openssl  pem  README




Simple trust anchors subdirectory:


/etc/pki/ca-trust/source/anchors/             # '/etc' override any other default configuration

Extended format directory:




Contains consolidated and automatically generated configuration files for consumption by applications,

which are created using the "update-ca-trust extract" command.

If your certificate is in the extended "BEGIN TRUSTED" file format

(which may contain distrust/blacklist trust flags, or trust flags for usages other than TLS) then:

add it as a new file to directory /etc/pki/ca-trust/source/anchors/


Centos 7 add trusted certificate


方法 1

yum install ca-certificates


方法 2

當"方法 1" 唔 work 時, 就要用以下方案

To add a certificate in the simple PEM or DER file formats to the list of CAs trusted on the system:

cp foo.crt /etc/pki/ca-trust/source/anchors/


cp /etc/pki/ca-trust/source/anchors/

update-ca-trust extract

Remark: 獲得 CA Cert. 的方法

Open a webpage that uses the CA with Firefox

Click the lock-icon in the addressbar -> show information -> show certificate

The certificate viewer will open

click details and choose the certificate of the certificate-chain, you want to import to CentOS

click "Export..." and save it as .crt file