How To Reset The List Of Trusted CA Certificates In RHEL 6 And Later?

Trang chủ » Ca Rế » How To Reset The List Of Trusted CA Certificates In RHEL 6 And Later?

Có thể bạn quan tâm

Environment

  • Red Hat Enterprise Linux 6
  • Red Hat Enterprise Linux 7
  • Red Hat Enterprise Linux 8
  • Red Hat Enterprise Linux 9

Issue

  • How can I reset the system-wide list of trusted CA certs on a RHEL 6 and later?

Resolution

It's simple for a process with root access to add new Certificate Authority (CA) certs to the system-wide database of trusted CAs. Many applications--both 3rd-party and shipped in RHEL--read CA certs from this database. (To name a few: lftp, curl, wget, openssl, firefox.)

Follow these steps to ensure the database contains only the default CAs.

  1. Create a backup directory to store any found certs for later inspection

    ~]# mkdir -p /root/cert.bak mkdir: created directory ‘/root/cert.bak’

  2. Reset and update the ca-certificates package This will revert away any direct customizations (e.g., to ca-bundle.crt) and update or reinstall the package

    ~]# rpm -Vv ca-certificates | awk '$1!="........." && $2!="d" {system("mv -v " $NF " /root/cert.bak")}' `/etc/pki/java/cacerts' -> `/root/cert.bak/cacerts' `/etc/pki/tls/certs/ca-bundle.crt' -> `/root/cert.bak/ca-bundle.crt' `/etc/pki/tls/certs/ca-bundle.trust.crt' -> `/root/cert.bak/ca-bundle.trust.crt' ~]# yum check-update ca-certificates; (($?==100)) && yum update ca-certificates || yum reinstall ca-certificates

  3. Ensure the /etc/pki/ca-trust/source/ and /etc/pki/ca-trust/source/anchors/ directories together contain only the following 2 files Move any other files to the backup directory

    ~]# find /etc/pki/ca-trust/source{,/anchors} -maxdepth 1 -not -type d -exec ls -1 {} + /etc/pki/ca-trust/source/ca-bundle.legacy.crt /etc/pki/ca-trust/source/README

  4. Ensure the /usr/share/pki/ca-trust-source/ and /usr/share/pki/ca-trust-source/anchors/ directories together contain no more than the following 4 files (though RHEL 7.4+ will contain only 2 of them) Move any other files to the backup directory

    ~]# find /usr/share/pki/ca-trust-source{,/anchors} -maxdepth 1 -not -type d -exec ls -1 {} + /usr/share/pki/ca-trust-source/ca-bundle.neutral-trust.crt /usr/share/pki/ca-trust-source/ca-bundle.supplement.p11-kit /usr/share/pki/ca-trust-source/ca-bundle.trust.crt /usr/share/pki/ca-trust-source/README

  5. Rebuild the CA-trust database with update-ca-trust

    • Execute:   update-ca-trust extract

    • RHEL 6: the following warning will very likely be seen

      update-ca-trust: Warning: The dynamic CA configuration feature is in the disabled state

      This is normal (default), expected, and not a problem Optionally read more about this in the update-ca-trust man page

  6. Note that some applications (like Firefox), keep their own local cert database

    • See also: Firefox: How to audit & reset the list of trusted servers/CAs
  • Product(s)
  • Red Hat Enterprise Linux
  • Component
  • ca-certificates
  • nss
  • Category
  • Secure
  • Tags
  • certificates
  • how-to
  • openssl
  • security

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments

Red Hat X (formerly Twitter)

Quick Links

  • Downloads
  • Subscriptions
  • Support Cases
  • Customer Service
  • Product Documentation

Help

  • Contact Customer Portal
  • Customer Portal FAQ
  • Log-in Assistance

Site Info

  • Trust Red Hat
  • Browser Support Policy
  • Accessibility
  • Awards and Recognition
  • Colophon

Related Sites

  • redhat.com
  • developers.redhat.com
  • connect.redhat.com
  • cloud.redhat.com

Systems Status

About

  • Red Hat Subscription Value
  • About Red Hat
  • Red Hat Jobs
  • About Red Hat
  • Jobs
  • Events
  • Locations
  • Contact Red Hat
  • Red Hat Blog
  • Diversity, equity, and inclusion
  • Cool Stuff Store
  • Red Hat Summit
Copyright © 2024 Red Hat, Inc.
  • Privacy statement
  • Terms of use
  • All policies and guidelines
  • Digital accessibility
×

Formatting Tips

Here are the common uses of Markdown.

Code blocks~~~ Code surrounded in tildes is easier to read ~~~ Links/URLs[Red Hat Customer Portal](https://access.redhat.com) Learn more Close

Request a English Translation

Are you sure you want to update a translation? It seems an existing English Translation exists already. We appreciate your interest in having Red Hat content localized to your language. Please note that excessive use of this feature could cause delays in getting specific content you are interested in translated. Close Request Japanese Translation Request Chinese Translation Request Korean Translation

Generating Machine Translation

Loading… We are generating a machine translation for this content. Depending on the length of the content, this process could take a while. Cancel

Từ khóa » Ca Rế