Red Hat Enterprise Linux (RHEL), CentOS, Fedora, Scientific Linux and other Linux distributions derived from RHEL provides the system-default legacy classic CA certificate trust bundle Mozilla root CA list, where they have classic file names and are stored in fixed locations. For example, /etc/pki/tls/cert.pem, /etc/pki/tls/certs/ca-bundle.crt, /usr/share/ssl/certs/ca-bundle.crt and /etc/pki/tls/certs/ (some of the files may be just a symlink). In RHEL 6 or CentOS 6 and newer, the bundle is part of the “ca-certificates” package, and thus updated by “ca-certificates” package. In RHEL 5 or CentOS 5 and earlier, the bundle is part of the “OpenSSL” package.

In addition, in RHEL 6 or CentOS 6 since end 2013 updated with “ca-certificates” package version 2013.1.94-65.0 or later, the Shared System Certificate Authority (CA) storage is also available. The Shared System CA storage uses “update-ca-trust” tool to manage consolidated and dynamic configuration of CA certificates and associated trust stored in configuration files found in the /etc/pki/ca-trust/extracted directory or that load the PKCS#11 module The dynamic shared system CA configuration feature can provide functionally compatible replacements for classic CA configuration files and for the classic NSS trust module named libnssckbi, but must be explicitly enabled by administrator through update-ca-trust enable command.

Regardless of which system you use, you may need to add and update more Certificate Authorities’ root certificates to the system CA store, as by default it doesn’t come with large number of root certificates that normally come pre-installed in a web browser. As the result, when you’re using various tools that depend on system’s CA bundle such as curl, Net::HTTP, Open, OpenURI to access resources encrypted by HTTPS (SSL), you may get certification verification error.

Depending on whether you’re using classic CA certificate bundle or newer Shared System CA storage, there are two different methods to update CA certificate bundle in RHEL, CentOS and their derived distros.

Update Classic CA Certificates Bundle

In most cases, the system default CA certificate bundle has been kept updating by yum through “ca-certificates” package. In addition, the modification done to ca-bundle.crt file may be overwritten on the next “ca-certificates” package update.

If you want to add CA certificates that is not included in Mozilla root CA list which the system CA bundle is based on, the recommended way in through Shared System CA Store through update-ca-trust Tool.

  1. Make a backup of the original CA certs bundle file, normally located in one of the following directories:


  2. Run the following command to update the CA bundle:
    curl -o /etc/pki/tls/certs/ca-bundle.crt

    The command actually downloads a bundle of X.509 certificates of public Certificate Authorities (CA) in PEM format extracted from Mozilla’s root certificates file, and saves it as new ca-bundle.crt.

Add or Update CA Certificates to Shared System CA Store through update-ca-trust Tool

Use the following command to check if you have enabled the Shared System CA Certificates features:

update-ca-trust check

If it’s not enabled, and you want to enable the compatible replacements so that the legacy apps can use the new Shared System CA store, run the following command:

update-ca-trust enable

To add a certificate in the simple PEM or DER file formats to the list of CAs trusted on the system, copy the certificate to one of the following directory:

/etc/pki/ca-trust/source/anchors/ (trust settings is interpreted with a high priority)

/usr/share/pki/ca-trust-source/ (trust settings is interpreted with a low priority – may be overridden by other system settings)

Then run the following command:

update-ca-trust extract

Note that if your certificate is in the extended BEGIN TRUSTED file format (which may contain distrust/blacklist trust flags, or trust flags for usages other than TLS), or is a bundle file with multiple certificates, then place it into the main source/ directory instead.