quick-docs/modules/ROOT/partialsdelete/2delete-con_using-the-system-wide-trust-store.adoc.delete.adoc

[[using-the-system-wide-trust-store]]
= Using the System-wide Trust Store

In Fedora, the consolidated system-wide trust store is located in the `/etc/pki/ca-trust/` and `/usr/share/pki/ca-trust-source/` directories. The trust settings in `/usr/share/pki/ca-trust-source/` are processed with lower priority than settings in `/etc/pki/ca-trust/`.

Certificate files are treated depending on the subdirectory they are installed to the following directories:

* for trust anchors
** `/usr/share/pki/ca-trust-source/anchors/` or
** `/etc/pki/ca-trust/source/anchors/`
* for distrusted certificates
** `/usr/share/pki/ca-trust-source/blocklist/` or
** `/etc/pki/ca-trust/source/blocklist/`
* for certificates in the extended BEGIN TRUSTED file format
** `/usr/share/pki/ca-trust-source/` or
** `/etc/pki/ca-trust/source/`

NOTE: In a hierarchical cryptographic system, a trust anchor is an authoritative entity which is assumed to be trustworthy. For example, in X.509 architecture, a root certificate is a trust anchor from which a chain of trust is derived. The trust anchor must be put in the possession of the trusting party beforehand to make path validation possible.
Shared System Certificates added 2017-12-14 10:38:29 +00:00			`[[using-the-system-wide-trust-store]]`
			`= Using the System-wide Trust Store`

			In Fedora, the consolidated system-wide trust store is located in the `/etc/pki/ca-trust/` and `/usr/share/pki/ca-trust-source/` directories. The trust settings in `/usr/share/pki/ca-trust-source/` are processed with lower priority than settings in `/etc/pki/ca-trust/`.

Fix Shared certificates. 2018-01-21 14:35:53 +00:00			`Certificate files are treated depending on the subdirectory they are installed to the following directories:`
Shared System Certificates added 2017-12-14 10:38:29 +00:00
Fix Shared certificates. 2018-01-21 14:35:53 +00:00			`* for trust anchors`
			** `/usr/share/pki/ca-trust-source/anchors/` or
			** `/etc/pki/ca-trust/source/anchors/`
			`* for distrusted certificates`
Fix directory locations for distrusted certificates The directory has been renamed from .../blacklist to .../blocklist in all supported Fedora releases. Signed-off-by: Daiki Ueno <dueno@redhat.com> 2023-02-06 22:43:23 +00:00			** `/usr/share/pki/ca-trust-source/blocklist/` or
			** `/etc/pki/ca-trust/source/blocklist/`
Fix Shared certificates. 2018-01-21 14:35:53 +00:00			`* for certificates in the extended BEGIN TRUSTED file format`
			** `/usr/share/pki/ca-trust-source/` or
			** `/etc/pki/ca-trust/source/`
Shared System Certificates added 2017-12-14 10:38:29 +00:00
			`NOTE: In a hierarchical cryptographic system, a trust anchor is an authoritative entity which is assumed to be trustworthy. For example, in X.509 architecture, a root certificate is a trust anchor from which a chain of trust is derived. The trust anchor must be put in the possession of the trusting party beforehand to make path validation possible.`