How to configure your CA trust list in Linux
In the world of networking, a certificate authority (CA) is an organization that vouches for Secure Sockets Layer (SSL) certificates, which indicate that a web server can be trusted.
This article covers accepting additional CAs (adding more people to your trusted list) and then digs deeper into rejecting CAs and why you may want to do that.
Adding a trusted CA
Adding additional CAs is a common practice. To do this, you need to get the certificate
and copy it to one of the approved directories, such as /etc/pki/ca-trust/source/whitelist/.
Copy the certificate from your location to either of the following directories:
/usr/share/pki/ca-trust-source/anchors
or
/etc/pki/ca-trust/source/anchors
$ cp [replace-with-your-cert].cer /etc/pki/ca-trust/source/anchors/Any time you add something to either the blacklist or whitelist directories, you must update the trust list:
$ update-ca-trustVerifying trust status
You can verify whether a CA can be trusted by looking at the "anchor" value in the trust key:
$ trust list --filter=ca-anchors | grep Example -i -A 2 -B 3
pkcs11:id=%ff%f9%eb%97%be%21[...]%e9;type=cert
type: certificate
label: EXAMPLE Secure Certification Authority 1
trust: anchor
Category: authority
pkcs11:id=%ff%9f%88%df%a1%cd%2c%[...]%4b;type=cert
Type: certificate
Label: EXAMPLE Global Root Certification Authority
Trust: anchor
Category: authorityDefining an untrusted CA
Limiting trust to only what is required is a longstanding good security practice.
The ca-certificates package provides a method to reject a CA by placing it in /etc/pki/ca-trust/source/blacklist/.
Be careful in what you mark as untrusted. Don't blindly reject all CAs without first considering what's required in your environment. You can verify a CA with the openssl command:
$ openssl s_client -connect example.com:443