4 Managing System Certificates

In Oracle Linux releases earlier than 10, certificates that are trusted system-wide are stored in the /etc/pki/ca-trust/ and /usr/share/pki/ca-trust-source/ directories.

In Oracle Linux release 10, certificates that are trusted system-wide are stored as .pem files in the /etc/pki/ca-trust/extracted directory.

Note:

If you're using Oracle Linux release 10 and any applications, scripts, or configurations refer directly to files in /etc/pki/tls/certs, change them to use the new path.

For example, if the old path is:

/etc/pki/tls/certs/ca-bundle.crt

You must now use:

/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem

Typically, the CA certificates of major third-party CAs are included within the system-wide trust store to enable applications to work correctly. By storing trusted certificates in a central location, a wide range of applications can use these trusted certificates to validate and authenticate certificate chains. For example, when an application needs to validate a certificate, it uses the certificates within the system-wide trust to confirm whether the certificate either matches a trusted certificate, or is signed by one.

A certificate, such as a CA certificate, that's stored on a system as a trusted certificate is often referred to as a trust anchor. This distinguishes the certificate from one for which trust is derived, typically by walking through a certificate chain until a trust anchor is found. You can add any public certificate to the system trust as a trust anchor so that it can be validated immediately.

Commonly trusted third-party CA certificates are selected by the Mozilla Foundation and are included in the ca-certificates package. These certificates are installed into the system trust store as anchors for general use.