我的书签
添加书签
移除书签Using Shared System Certificates
In Fedora, the consolidated system-wide trust store is located in the and /usr/share/pki/ca-trust-source/ directories. The trust settings in /usr/share/pki/ca-trust-source/ are processed with lower priority than settings in /etc/pki/ca-trust/.
Certificate files are treated depending on the subdirectory they are installed to the following directories:
for trust anchors
/usr/share/pki/ca-trust-source/anchors/or/etc/pki/ca-trust/source/anchors/
for distrusted certificates
/usr/share/pki/ca-trust-source/blacklist/or
To add a certificate in the simple PEM or DER file formats to the list of CAs trusted on the system, copy the certificate file to the /usr/share/pki/ca-trust-source/anchors/ or /etc/pki/ca-trust/source/anchors/ directory, for example:
To update the system-wide trust store configuration, use the update-ca-trust command:
# update-ca-trust
While the Firefox browser is able to use an added certificate without executing |
To list, extract, add, remove, or change trust anchors, use the command. To see the built-in help for this command, enter it without any arguments or with the --help directive:
- $
trust list- pkcs11:id=%d2%87%b4%e3%df%37%27%93%55%f6%56%ea%81%e5%36%cc%8c%1e%3f%bd;type=cert
- type: certificate
- label: ACCVRAIZ1
- trust: anchor
- category: authority
- type: certificate
- label: ACEDICOM Root
- trust: anchor
- category: authority
- ...
- [output has been truncated]
To store a trust anchor into the system-wide trust store, use the trust anchor sub-command and specify a path.to a certificate, for example:
To remove a certificate, use either a path.to a certificate or an ID of a certificate:
# trust anchor --remove path.to/certificate.crt# trust anchor --remove "pkcs11:id=%AA%BB%CC%DD%EE;type=cert"
More information
All sub-commands of the trust commands offer a detailed built-in help, for example:
For more information, see the following man pages:
trust(1)
