mirror of
https://pagure.io/fedora-docs/quick-docs.git
synced 2024-11-24 21:35:17 +00:00
adding-new-certificates: Prefer to using "trust anchor" command
There are a couple of methods to install a certificate into the trust store: using "trust anchor" or copying the file to /etc/pki/ca-trust/source/anchors/. The former is simpler and more flexible as it doesn't require update-ca-trust and the installed certificates can be removed with "trust anchor --remove". For more context, see: https://bugzilla.redhat.com/show_bug.cgi?id=2163554 Signed-off-by: Daiki Ueno <dueno@redhat.com>
This commit is contained in:
parent
43f7068c07
commit
c93dcafa78
1 changed files with 10 additions and 3 deletions
|
@ -1,19 +1,26 @@
|
||||||
[id='proc_adding-new-certificates']
|
[id='proc_adding-new-certificates']
|
||||||
= Adding New Certificates
|
= Adding New Certificates
|
||||||
|
|
||||||
To add a certificate in the simple PEM or DER file formats to the list of CAs trusted on the system, copy the certificate file to the `/etc/pki/ca-trust/source/anchors/` directory, for example:
|
Often, system administrators want to install a certificate into the trust store. This can be done with the [command]`trust anchor` sub-command of the [command]`trust` command, as described in xref:managing-trusted-system-certificates[Managing Trusted System Certificates].
|
||||||
|
|
||||||
|
Alternatively, you can simply copy the certificate file in the PEM or DER file format to the `/etc/pki/ca-trust/source/anchors/` directory, followed by running the [command]`update-ca-trust` command, for example:
|
||||||
|
|
||||||
[subs="+quotes,macros"]
|
[subs="+quotes,macros"]
|
||||||
----
|
----
|
||||||
# cp _~/certificate-trust-examples/Cert-trust-test-ca.pem_ _/etc/pki/ca-trust/source/anchors/_
|
# cp _~/certificate-trust-examples/Cert-trust-test-ca.pem_ _/etc/pki/ca-trust/source/anchors/_
|
||||||
----
|
----
|
||||||
|
|
||||||
To update the system-wide trust store configuration, use the [command]`update-ca-trust` command:
|
|
||||||
|
|
||||||
----
|
----
|
||||||
# update-ca-trust
|
# update-ca-trust
|
||||||
----
|
----
|
||||||
|
|
||||||
|
The [command]`update-ca-trust` command ensures that the certificate bundles in application-specific formats, such as Java keystore, are regenerated.
|
||||||
|
|
||||||
|
[NOTE]
|
||||||
|
====
|
||||||
|
The certificates installed in the above steps cannot be removed with the [command]`trust anchor --remove`.
|
||||||
|
====
|
||||||
|
|
||||||
[NOTE]
|
[NOTE]
|
||||||
====
|
====
|
||||||
While the Firefox browser is able to use an added certificate without executing [command]`update-ca-trust`, it is recommended to run [command]`update-ca-trust` after a CA change. Also note that browsers, such as Firefox, Epiphany, or Chromium, cache files, and you might need to clear the browser's cache or restart your browser to load the current system certificates configuration.
|
While the Firefox browser is able to use an added certificate without executing [command]`update-ca-trust`, it is recommended to run [command]`update-ca-trust` after a CA change. Also note that browsers, such as Firefox, Epiphany, or Chromium, cache files, and you might need to clear the browser's cache or restart your browser to load the current system certificates configuration.
|
||||||
|
|
Loading…
Reference in a new issue