PKI Certificate Tutorials - Herong's Tutorial Examples

update-ca-trust Command on Red Hat Computers

"update-ca-trust" to Remove CA Certificate

This section provides a tutorial example on removing user added CA certificates from Trust Store using the 'update-ca-trust' command on Red Hat-based computers.

"update-ca-trust" command can also be used to remove a CA certificate added in the Trust Store previously. This can be done 3 steps:

1. Remove the new root CA certificates in the input directory where you added previously. For example: 

 
herong$ sudo rm /usr/share/pki/ca-trust-source/anchors/ZZ-Root-CA.crt

2. Run the "update-ca-trust" command to scan those 6 input directories and update the Trust Store. 

 
herong$ sudo update-ca-trust

3. Verify the PEM bundle file in the Trust Store: 

herong$ grep \
  'MTMwNzA4WjAiMQswCQYDVQQGEwJaWjETMBEGA1UEAxMKWlogUm9vdCBDQTB2MBAG' \
  /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem

  (no matches)

By the way, "update-ca-trust" does not allow you to remove any CA certificate installed by the system in the Trust Store. But you can disable (distrust) it as shown in the next tutorial.

Table of Contents

 About This Book

 Introduction of PKI (Public Key Infrastructure)

 Introduction of PKI Certificate

 PKI Certificate File Formats

 OpenSSL - Cryptography Toolkit

 "openssl ca" - CA (Certificate Authority) Tool

 Java "keytool" Commands and KeyStore Files

 PKI Certificate Store

 PKCS12 Certificate Bundle File

 PKCS7 Certificate Chain File

 Linux Trust Store for CA Certificates

 ca-certificates - Linux CA Certificate Package

update-ca-trust Command on Red Hat Computers

 What Is update-ca-trust Command

 /etc/pki/ Directory and Symbolic Links

 "update-ca-trust" to Add CA Certificate

"update-ca-trust" to Remove CA Certificate

 "update-ca-trust" to Distrust CA Certificate

 "update-ca-trust" vs "trust" on Red Hat Computers

 PKI Certificate Related Terminology

 References

 Full Version in PDF/EPUB