Using the Trust Command to Manage System Certificates
The trust command can simplify system certificate management. This command
is available in the p11-kit-trust package and is installed by default
on most Oracle Linux systems.
See the trust(1) manual page for more information.
Listing Certificates in the System Trust
To list all trusted certificates, run the following command:
trust list
Output similar to the following is displayed:
pkcs11:id=%37%7F%3E%3E%99%71%60%CA%24%D4%91%13%79%D0%74%29%B4%A8%24%D8;type=cert
type: certificate
label: A-CERT ADVANCED
trust: anchor
category: authority
pkcs11:id=%4B%3C%8C%1D%85%E9%6F%AD;type=cert
type: certificate
label: A-Trust-Qual-01
trust: anchor
category: authority
...Note that each certificate in the system trust is allocated a
pkcs11:id value that can be used to identify a particular
certificate for other trust operations.
Adding a Certificate as a Trust Anchor
sudo trust anchor /path/to/public.cert/path/to/public.cert with the path to the certificate file
that you want to add to the system trust.
When you run this command, the certificate is added to the
/etc/pki/ca-trust/source/ directory and the system trust is
refreshed. The certificate is immediately trusted as an anchor.
Typically, you only add certificates from providers that you trust and which aren't already available in the system trust. You can also add self-signed certificates that you might generate for demonstration purposes or for internal or developer tooling.
Removing a Certificate From the System Trust Anchors
To remove a certificate from the system trust anchors, run the following command:
sudo trust anchor --remove pkcs11:id=<ID>Use the matching pkcs11:id value to provide the <ID> of the certificate that you want to remove. Or, if you have a copy of the certificate available,
you can specify its location as follows:
sudo trust anchor --remove /path/to/public.certThe system trust store is updated immediately.