| -h--help | Show summary of options. |
| -v--verbose | Be verbose. Output openssl rehash. |
| -f--fresh | Fresh updates. Remove symlinks in /etc/ssl/certs directory. |
| --certsconf | Change the configuration file. By default, the file /etc/ca-certificates.conf is used. |
| --certsdir | Change the certificate directory. By default, the directory /usr/share/ca-certificates is used. |
| --localcertsdir | Change the local certificate directory. By default, the directory /usr/local/share/ca-certificates is used. |
| --etccertsdir | Change the /etc certificate directory. By default, the directory /etc/ssl/certs is used. |
| /etc/ca-certificates.conf | A configuration file. |
| /etc/ssl/certs/ca-certificates.crt | A single-file version of CA certificates. This holds all CA certificates that were activated in /etc/ca-certificates.conf. |
| /usr/share/ca-certificates | Directory of CA certificates provided by the distribution. |
| /usr/local/share/ca-certificates | Directory of local CA certificates, with .crt extension, provided by the user. |
NAME
update-ca-certificates - update /etc/ssl/certs and ca-certificates.crt
SYNOPSIS
update-ca-certificates [options]
DESCRIPTION
This manual page documents briefly the update-ca-certificates command.
update-ca-certificates is a program that manages the collection of TLS certificates for the local machine and generates ca-certificates.crt. ca-certificates.crt is a single-file of concatenated certificates. The collection of individual certificates is stored at /etc/ssl/certs.
The program reads the configuration file /etc/ca-certificates.conf. Each line gives a pathname of a CA certificate under /usr/share/ca-certificates that should be trusted. Lines that begin with "#" are comment lines and thus ignored. Lines that begin with "!" are deselected, causing the deactivation of the CA certificate in question.
Certificates must be in PEM format and have a .crt extension in order to be included by update-ca-certificates. Furthermore, all certificates with a .crt extension found below /usr/local/share/ca-certificates are also included and implicitly trusted.
To add one or more certificates to the machine, copy the certificates in PEM format with the *.crt extension to /usr/local/share/ca-certificates. There should be one certificate per file, and not multiple certificates in a single file. Then run update-ca-certificates to merge the new certificates into the existing machine store at /etc/ssl/certs.
Before terminating, update-ca-certificates invokes run-parts on /etc/ca-certificates/update.d and calls each hook with a list of certificates: those added are prefixed with a +, those removed are prefixed with a -.
OPTIONS
A summary of options is included below.
- -h, --help
Show summary of options.
- -v, --verbose
Be verbose. Output openssl rehash.
- -f, --fresh
Fresh updates. Remove symlinks in /etc/ssl/certs directory.
- --certsconf
Change the configuration file. By default, the file /etc/ca-certificates.conf is used.
- --certsdir
Change the certificate directory. By default, the directory /usr/share/ca-certificates is used.
- --localcertsdir
Change the local certificate directory. By default, the directory /usr/local/share/ca-certificates is used.
- --etccertsdir
Change the /etc certificate directory. By default, the directory /etc/ssl/certs is used.
FILES
- /etc/ca-certificates.conf
A configuration file.
- /etc/ssl/certs/ca-certificates.crt
A single-file version of CA certificates. This holds all CA certificates that were activated in /etc/ca-certificates.conf.
Directory of CA certificates provided by the distribution.
Directory of local CA certificates, with .crt extension, provided by the user.
SEE ALSO
openssl(1)
AUTHOR
This manual page was written by Fumitoshi UKAI <[email protected]>, for the Debian project (but may be used by others).