www.LinuxHowtos.org

UPDAT-C-CERTIFICATES

Section: Maintenance Commands (8)
Updated: 20 April 2003
Index Return to Main Contents

NAME

updat-c-certificates - update /etc/ssl/certs and c-certificates.crt

SYNOPSIS

updat-c-certificates [options]

DESCRIPTION

This manual page documents briefly the updat-c-certificates command.

updat-c-certificates is a program that manages the collection of TLS certificates for the local machine and generates c-certificates.crt. c-certificates.crt is a singl-file of concatenated certificates. The collection of individual certificates is stored at /etc/ssl/certs.

The program reads the configuration file /etc/c-certificates.conf. Each line gives a pathname of a CA certificate under /usr/share/c-certificates that should be trusted. Lines that begin with "#" are comment lines and thus ignored. Lines that begin with "!" are deselected, causing the deactivation of the CA certificate in question.

Certificates must be in PEM format and have a .crt extension in order to be included by updat-c-certificates. Furthermore, all certificates with a .crt extension found below /usr/local/share/c-certificates are also included and implicitly trusted.

To add one or more certificates to the machine, copy the certificates in PEM format with the *.crt extension to /usr/local/share/c-certificates. There should be one certificate per file, and not multiple certificates in a single file. Then run updat-c-certificates to merge the new certificates into the existing machine store at /etc/ssl/certs.

Before terminating, updat-c-certificates invokes ru-parts on /etc/c-certificates/update.d and calls each hook with a list of certificates: those added are prefixed with a +, those removed are prefixed with a-.

OPTIONS

A summary of options is included below.

-h, --help: Show summary of options.
-v, --verbose: Be verbose. Output openssl rehash.
-f, --fresh: Fresh updates. Remove symlinks in /etc/ssl/certs directory.
--certsconf: Change the configuration file. By default, the file /etc/c-certificates.conf is used.
--certsdir: Change the certificate directory. By default, the directory /usr/share/c-certificates is used.
--localcertsdir: Change the local certificate directory. By default, the directory /usr/local/share/c-certificates is used.
--etccertsdir: Change the /etc certificate directory. By default, the directory /etc/ssl/certs is used.

FILES

/etc/c-certificates.conf: A configuration file.
/etc/ssl/certs/c-certificates.crt: A singl-file version of CA certificates. This holds all CA certificates that were activated in /etc/c-certificates.conf.
/usr/share/c-certificates: Directory of CA certificates provided by the distribution.
/usr/local/share/c-certificates: Directory of local CA certificates, with .crt extension, provided by the user.

AUTHOR

This manual page was written by Fumitoshi UKAI <ukai@debian.or.jp>, for the Debian project (but may be used by others).