In addition, in RHEL 6 or CentOS 6 since end 2013 updated with “ca-certificates” package version 2013.1.94-65.0 or later, the Shared System Certificate Authority (CA) storage is also available. The Shared System CA storage uses “update-ca-trust” tool to manage consolidated and dynamic configuration of CA certificates and associated trust stored in configuration files found in the /etc/pki/ca-trust/extracted directory or that load the PKCS#11 module p11-kit-trust.so. The dynamic shared system CA configuration feature can provide functionally compatible replacements for classic CA configuration files and for the classic NSS trust module named libnssckbi, but must be explicitly enabled by administrator through update-ca-trust enable command.
Regardless of which system you use, you may need to add and update more Certificate Authorities’ root certificates to the system CA store, as by default it doesn’t come with large number of root certificates that normally come pre-installed in a web browser. As the result, when you’re using various tools that depend on system’s CA bundle such as curl, Net::HTTP, Open, OpenURI to access resources encrypted by HTTPS (SSL), you may get certification verification error.
Depending on whether you’re using classic CA certificate bundle or newer Shared System CA storage, there are two different methods to update CA certificate bundle in RHEL, CentOS and their derived distros.
Update Classic CA Certificates Bundle
If you want to add CA certificates that is not included in Mozilla root CA list which the system CA bundle is based on, the recommended way in through Shared System CA Store through update-ca-trust Tool.
- Make a backup of the original CA certs bundle file, normally located in one of the following directories:
- Run the following command to update the CA bundle:
curl http://curl.haxx.se/ca/cacert.pem -o /etc/pki/tls/certs/ca-bundle.crt
The command actually downloads a bundle of X.509 certificates of public Certificate Authorities (CA) in PEM format extracted from Mozilla’s root certificates file, and saves it as new ca-bundle.crt.
Add or Update CA Certificates to Shared System CA Store through update-ca-trust Tool
If it’s not enabled, and you want to enable the compatible replacements so that the legacy apps can use the new Shared System CA store, run the following command:
To add a certificate in the simple PEM or DER file formats to the list of CAs trusted on the system, copy the certificate to one of the following directory:
/etc/pki/ca-trust/source/anchors/ (trust settings is interpreted with a high priority)
/usr/share/pki/ca-trust-source/ (trust settings is interpreted with a low priority – may be overridden by other system settings)
Then run the following command:
Note that if your certificate is in the extended BEGIN TRUSTED file format (which may contain distrust/blacklist trust flags, or trust flags for usages other than TLS), or is a bundle file with multiple certificates, then place it into the main source/ directory instead.