Srinath's Blog

Search

SearchSearch

linux_CA

Nov 28, 20243 min read

Linux systems typically store details about Certificate Authorities (CAs) and their associated certificates, which are used for validating secure communication over protocols like HTTPS, SSH, and others. The details are stored in the system’s trusted root certificate store.

Key Locations Where CA Information is Stored:

  1. System-Wide CA Certificates:

    • Linux systems usually store trusted CA certificates in a centralized directory. These certificates are used by various applications (e.g., browsers, curl, wget) to validate SSL/TLS connections.

    • Common locations for these certificates:

      • Debian/Ubuntu: /etc/ssl/certs/

      • Red Hat/CentOS/Fedora: /etc/pki/tls/certs/

      • Generic Path: /etc/ssl/certs/ca-certificates.crt

    The system stores CA certificates in these directories, and many applications use them to verify the authenticity of SSL/TLS certificates from websites and services.

  2. CA Certificates Database:

    • On some systems, a certificate store or database is maintained by a tool like update-ca-certificates (Debian/Ubuntu) or trust (Fedora).
      • Debian/Ubuntu: /etc/ca-certificates.conf (lists which certificates are enabled/disabled).
      • Red Hat/CentOS/Fedora: /etc/pki/ca-trust/ or /etc/ssl/certs/ (varies based on distribution).

  3. System-Wide Trust Store:

    • The OpenSSL tool (openssl) uses the CA certificates in the system’s default store to verify SSL/TLS certificates.
      • openssl often looks in /etc/ssl/certs/ for trusted CAs.

  4. Browser-Specific CA Stores:

    • Browsers such as Firefox or Chrome may maintain their own CA stores. These are separate from the system’s store and are used to validate SSL/TLS certificates within the browser.

Checking CA Certificates on Linux:

  1. List Trusted CAs:

    • To list the CAs stored in your system: 
      ls /etc/ssl/certs/
      or for Red Hat-based systems: 
      ls /etc/pki/tls/certs/

  2. View the Contents of a CA Certificate:

    • You can view the details of a specific CA certificate using openssl: 
      openssl x509 -in /etc/ssl/certs/ca-certificates.crt -text -noout
    • To view a specific certificate: 
      openssl x509 -in /path/to/certificate.pem -text -noout

  3. Update CA Certificates:

    • On Debian-based systems: 
      sudo update-ca-certificates
    • On Red Hat-based systems: 
      sudo update-ca-trust

  4. Verify SSL/TLS with a Specific CA:

    • You can verify an SSL certificate with a specific CA certificate using openssl: 
      openssl verify -CAfile /path/to/ca.pem /path/to/certificate.crt

Additional Considerations:

  • Custom or Private CAs: If your organization uses a private or internal Certificate Authority (CA), you may need to manually add the corresponding CA certificates to the system’s trusted store.
  • Applications: Applications like curl or wget may use their own CA certificate stores but usually rely on the system’s CA store by default.

Conclusion:

Linux does store CA certificates in specific directories, and many system tools and applications rely on these certificates to validate SSL/TLS connections. You can list, view, and manage these certificates using various tools like openssl, update-ca-certificates, and ca-certificates packages.

Graph View

Backlinks