I have a need to add system trust for a local CA certificate. This is prompted by a couple of applications but notably curl which warns about untrusted certs when connecting to our CA signed HTTPS endpoints.
I have seen a rainbow of answers on this question with some very ambiguous and vague explanations:
- /etc/pki/ca-trust/source/anchors/
This appears to be the most common answer and is described as being "high priority" but there is no explanation to what that means. I can make two guesses, both terrible: one, these are loaded first before the rest but what value does that have? Does any application really interrupt the OS loading of certs stores and have a chance of not getting the 'lower priority' CAs? Two, that there's some swordplay of the blacklisting and whitelisting between the stores. E.g. The blacklist here overrides whitelisting elsewhere, or whitelisting here overrides blacklisting elsewhere. This seems so dangerous as to be unlikely.
- /usr/share/pki/ca-trust-source/anchors/
This is "lower priority" than 1 but when should I use this? Always? Never? Does it even matter?
- /etc/pki/ca-trust/source/
This is the same as 1 but in a "BEGIN TRUSTED file format"? Presumably this some kind of legacy format but no documentation to that effect. (https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-shared-system-certificates_security-hardening)
- /usr/share/pki/ca-trust-source/
Again, same as 2 but "BEGIN TRUSTED file format".
- /etc/ssl/certs/ca-bundle.crt
No clue.
- /etc/ssl/certs/ca-bundle.trust.crt
Even less clue.
- /etc/pki/tls/certs/ca-bundle.crt
Sure, why not. (https://access.redhat.com/solutions/1549003)
- /etc/pki/tls/certs/ca-bundle.trust.crt
Yep. (Also https://access.redhat.com/solutions/1549003)
- /usr/share/pki/ca-trust-source/ca-bundle.trust.crt
It keeps going....
- /usr/share/ssl/certs/ca-bundle.crt
Fedora Core 2 only?
Some other SO questions to 'clarify' the issue:
