summaryrefslogtreecommitdiffstats
path: root/abs/core/ca-certificates/update-ca-trust.8.txt
diff options
context:
space:
mode:
Diffstat (limited to 'abs/core/ca-certificates/update-ca-trust.8.txt')
-rw-r--r--abs/core/ca-certificates/update-ca-trust.8.txt75
1 files changed, 48 insertions, 27 deletions
diff --git a/abs/core/ca-certificates/update-ca-trust.8.txt b/abs/core/ca-certificates/update-ca-trust.8.txt
index 67e2ba3..ba9c830 100644
--- a/abs/core/ca-certificates/update-ca-trust.8.txt
+++ b/abs/core/ca-certificates/update-ca-trust.8.txt
@@ -74,11 +74,11 @@ will be scanned for any number of source files. *It is important to select
the correct subdirectory for adding files, as the subdirectory defines how
contained certificates will be trusted or distrusted, and which file formats are read.*
-Files in subdirectories below the directory hierarchy /usr/share/ca-certificates/trust-source/ contain CA certificates and
+Files in *subdirectories below the directory hierarchy /usr/share/ca-certificates/trust-source/* contain CA certificates and
trust settings in the PEM file format. The trust settings found here will be
interpreted with a *low priority*.
-Files in subdirectories below the directory hierarchy /etc/ca-certificates/trust-source/ contain CA certificates and
+Files in *subdirectories below the directory hierarchy /etc/ca-certificates/trust-source/* contain CA certificates and
trust settings in the PEM file format. The trust settings found here will be
interpreted with a *high priority*.
@@ -144,7 +144,7 @@ BEGIN/END CERTIFICATE and BEGIN/END TRUSTED CERTIFICATE file formats.
Applications that rely on a static file for a list of trusted CAs
may load one of the files found in the /etc/ssl/certs or /etc/ca-certificates/extracted
-directory. After modifying any file in the
+directories. After modifying any file in the
/usr/share/ca-certificates/trust-source/ or /etc/ca-certificates/trust-source/
directories or in any of their subdirectories, or after adding a file,
it is necessary to run the 'update-ca-trust extract' command,
@@ -161,7 +161,7 @@ the dynamically merged set of certificates and trust information stored in the
[[extractconf]]
EXTRACTED CONFIGURATION
-----------------------
-The directories /etc/ssl/certs and /etc/ca-certificates/extracted/ contains generated CA certificate
+The directories /etc/ssl/certs and /etc/ca-certificates/extracted/ contain generated CA certificate
bundle files which are created and updated, based on the <<sourceconf,SOURCE CONFIGURATION>>
by running the 'update-ca-trust extract' command.
@@ -189,8 +189,13 @@ and distrusted certificates are missing from these files.
File cacerts contains CA certificates trusted for TLS server authentication.
The directory /etc/ca-certificates/extracted contains
+a CA certificate bundle file in the extended BEGIN/END TRUSTED CERTIFICATE file format,
+as described in the x509(1) manual page.
+File ca-bundle.trust.crt contains the full set of all trusted
+or distrusted certificates, including the associated trust flags.
+It also contains
CA certificate bundle files in the simple BEGIN/END CERTIFICATE file format,
-as decribed in the x509(1) manual page.
+as described in the x509(1) manual page.
Distrust information cannot be represented in this file format,
and distrusted certificates are missing from these files.
File tls-ca-bundle.pem contains CA certificates
@@ -199,10 +204,14 @@ File email-ca-bundle.pem contains CA certificates
trusted for E-Mail protection.
File objsign-ca-bundle.pem contains CA certificates
trusted for code signing.
-File ca-bundle.trust.crt contains certificates in the extended
-BEGIN/END TRUSTED CERTIFICATE file format, as described in the x509(1) manual page.
-This bundle contains the full set of all trusted
-and distrusted certificates, including the associated trust flags.
+It also contains a CA
+certificate bundle ("edk2-cacerts.bin") in the "sequence of
+EFI_SIGNATURE_LISTs" format, defined in the UEFI-2.7 specification,
+sections "31.4.1 Signature Database" and
+"EFI_CERT_X509_GUID". Distrust information cannot be represented in
+this file format, and distrusted certificates are missing from these
+files. File "edk2-cacerts.bin" contains CA certificates trusted for TLS
+server authentication.
COMMANDS
@@ -215,11 +224,27 @@ COMMANDS
*extract*::
Instruct update-ca-trust to scan the <<sourceconf,SOURCE CONFIGURATION>> and produce
updated versions of the consolidated configuration files stored below
- the /etc/ssl/certs and /etc/ca-certificates/extracted directory
- hierarchies.
+ the /etc/ssl/certs and /etc/ca-certificates/extracted directory hierarchies.
FILES
-----
+/etc/ssl/certs::
+ Classic directory, files contain individual CA certificates trusted for TLS server authentication usage, in the simple BEGIN/END CERTIFICATE file format, without distrust information.
+ Also includes the necessary hash symlinks expected by OpenSSL.
+ These files are symbolic links that are maintained by the update-ca-trust command.
+
+/etc/ssl/certs/ca-certificates.crt::
+ Classic filename, file contains a list of CA certificates trusted for TLS server authentication usage, in the simple BEGIN/END CERTIFICATE file format, without distrust information.
+ This file is a symbolic link that refers to the consolidated output created by the update-ca-trust command.
+
+/etc/ssl/cert.pem::
+ Classic filename, file contains a list of CA certificates trusted for TLS server authentication usage, in the simple BEGIN/END CERTIFICATE file format, without distrust information.
+ This file is a symbolic link that refers to the consolidated output created by the update-ca-trust command.
+
+/etc/ssl/java/cacerts::
+ Classic filename, file contains a list of CA certificates trusted for TLS server authentication usage, in the Java keystore file format, without distrust information.
+ This file is consolidated output created by the update-ca-trust command.
+
/usr/share/ca-certificates/trust-source::
Contains multiple, low priority source configuration files as explained in section <<sourceconf,SOURCE CONFIGURATION>>. Please pay attention to the specific meanings of the respective subdirectories.
@@ -232,32 +257,28 @@ FILES
See section <<extractconf,EXTRACTED CONFIGURATION>> for additional details.
/etc/ca-certificates/extracted/tls-ca-bundle.pem::
- Contains a list of CA certificates trusted for TLS server authentication, in the simple BEGIN/END CERTIFICATE file format, without distrust information.
+ File contains a list of CA certificates trusted for TLS server authentication, in the simple BEGIN/END CERTIFICATE file format, without distrust information.
+ This file is consolidated output created by the update-ca-trust command.
/etc/ca-certificates/extracted/email-ca-bundle.pem::
- Contains a list of CA certificates trusted for E-Mail protection, in the simple BEGIN/END CERTIFICATE file format, without distrust information.
+ File contains a list of CA certificates trusted for E-Mail protection, in the simple BEGIN/END CERTIFICATE file format, without distrust information.
+ This file is consolidated output created by the update-ca-trust command.
/etc/ca-certificates/extracted/objsign-ca-bundle.pem::
- Contains a list of CA certificates trusted for code signing, in the simple BEGIN/END CERTIFICATE file format, without distrust information.
+ File contains a list of CA certificates trusted for code signing, in the simple BEGIN/END CERTIFICATE file format, without distrust information.
+ This file is consolidated output created by the update-ca-trust command.
/etc/ca-certificates/extracted/ca-bundle.trust.crt::
- Contains a list of CA certificates in the extended BEGIN/END TRUSTED CERTIFICATE file format, which includes trust (and/or distrust) flags specific to certificate usage.
+ File contains a list of CA certificates in the extended BEGIN/END TRUSTED CERTIFICATE file format, which includes trust (and/or distrust) flags specific to certificate usage.
+ This file is consolidated output created by the update-ca-trust command.
/etc/ca-certificates/extracted/cadir::
Contains individual CA certificates trusted for TLS server authentication usage, in the simple BEGIN/END CERTIFICATE file format, without distrust information.
- Also includes the necessary hash symlinks expected by OpenSSL.
-
-/etc/ssl/certs::
- Classic directory, contains symlinks into /etc/ca-certificates/extracted/cadir which are maintained by the update-ca-trust command.
+ Also includes the necessary hash symlinks expected by OpenSSL.
+ These files are maintained by the update-ca-trust command.
-/etc/ssl/certs/ca-certificates.crt::
- Classic filename, a symlink to /etc/ca-certificates/extracted/tls-ca-bundle.pem.
-
-/etc/ssl/cert.pem::
- Classic filename, a symlink to /etc/ca-certificates/extracted/tls-ca-bundle.pem.
-
-/etc/ssl/java/cacerts::
- Classic filename, contains a list of CA certificates trusted for TLS server authentication usage, in the Java keystore file format, without distrust information.
+/etc/ca-certificates/extracted/edk2-cacerts.bin::
+ File contains a list of CA certificates trusted for TLS server authentication usage, in the UEFI signature database format, without distrust information.
This file is consolidated output created by the update-ca-trust command.
AUTHOR
generated by cgit v0.12 at 2024-04-19 07:13:01 (GMT)