PKI Certificate Tutorials - Herong's Tutorial Examples - v1.13, by Herong Yang
"update-ca-trust" vs "trust" on Red Hat Computers
This section describes the differences between 'update-ca-trust' and 'trust' commands on Red Hat-based computers.
Based on previous tutorials, we learned that you need to use 2 commands together on Red Hat-based computers to manage the Trust store:
1. "update-ca-trust" - Allows you to add CA certificates in the Trust Store by placing them in the /etc/pki/ca-trust/source/anchors/ directory, or to disable them by placing them in the /etc/pki/ca-trust/source/blacklist/ directory.
2. "trust" from the p11-kit package - Allows you to search, view, or export CA certificates from the Trust Store. The "add" and "remove" functions on "trust" are turned off.
To comfirm this understanding, let's refresh the Trust Store with the "update-ca-trust" command, count the total certificates with "trust" command, then verify the count.
# on a CentOS 8 computer
herong# sudo update-ca-trust
herong$ trust list --filter=trust-policy | grep certificate | wc
145 290 3190
herong$ grep BEGIN /etc/pki/tls/certs/ca-bundle.trust.crt | wc
145 435 5220
Table of Contents
Introduction of PKI (Public Key Infrastructure)
Introduction of PKI Certificate
OpenSSL - Cryptography Toolkit
"openssl ca" - CA (Certificate Authority) Tool
Java "keytool" Commands and KeyStore Files
PKCS12 Certificate Bundle File
Linux Trust Store for CA Certificates
ca-certificates - Linux CA Certificate Package
►update-ca-trust Command on Red Hat Computers
What Is update-ca-trust Command
/etc/pki/ Directory and Symbolic Links
"update-ca-trust" to Add CA Certificate
"update-ca-trust" to Remove CA Certificate
"update-ca-trust" to Distrust CA Certificate
►"update-ca-trust" vs "trust" on Red Hat Computers