Go to main content

Managing Encryption and Certificates in Oracle® Solaris 11.4

Exit Print View

Updated: May 2021

Managing Certificates in the Oracle Solaris CA Keystore

Oracle Solaris provides a keystore for Certificate Authority (CA) certificate files. To manage the keystore, you restart the SMF ca-certificates service after you add, remove, or blacklist certificates from the keystore.

X.509 certificates contain an RSA public key and the key's signer ("CN" or "Subject"). The key and signer verifies that some file or object was signed with the key holder's private key. CA certificates are issued by well-known organizations to verify that a certificate is legitimate and that the public key in the certificate can be trusted.

Oracle Solaris keeps the CA certificates in the /etc/certs/CA directory. Hashed links to the CA certificates are in the /etc/openssl/certs directory to enable fast lookup and access, typically by OpenSSL. Usually, each filename in the /etc/certs/CA directory is the certificate holder's CN with spaces replaced by underscores ("_") and appended with a .pem extension. For example, the file /etc/certs/CA/ExampleCo-_G3.pem contains the certificate for CN "ExampleCo Class 4 Public Primary Certification Authority - G3".

Note - Certificates in the /etc/certs directory are not automatically included in the Java keystore. You must add them separately.