Trusted SSL/TLS Certificate Stores on Linux Operating Systems and Applications
The SSL/TLS store location is not standardised across operating systems or even Linux distros. It could be anywhere in:
- /System/Library/OpenSSL (OSX)
It could be a file, or it could be a hashed directory.
Furthermore, not every single application uses the OS certificate store. Some applications like Firefox and HTTPIE bundle their own certificate store for use.
All of this means, updating the certificate store on your OS does not mean all applications can make use of the new updated certificates. Every application needs to be updated on a case by case basis.
Most applications that bundle their own certificates allows you to override the
certificate path to a PEM file or a
c_rehash hashed directory (a hashed directory option is rare).
curl this means using the
~/.curlrc and setting:
cacert = /certificates.pem.
libcurl in PHP, this means editing the
php.ini. But some applications
like Firefox does not allow you to point to the OS certificates, you have to
update the certificates the Firefox way.
So beware of any application that uses the network, and uses SSL/TLS. Make sure to note of how it locates its certificates, whether it bundles its own, whether it allows you to override the certificate path, it can save you a lot of headaches later wondering why a particular application cannot access a certain URL.
Updating OS certificate stores are also OS/distro specific. Sometimes the distro
packages will be out of date, and new CA changes may take a while to propagate.
You can instead add certificates from
curl's main website, they keep it updated
by ripping certificates from Firefox. This is how you would do it in Ubuntu:
# first install/update from package manager sudo apt-get install ca-certificates # yes, it is downloading via HTTP, not sure why haxx.se hasn't implemented HTTPS sudo curl http://curl.haxx.se/ca/cacert.pem -o /usr/local/share/ca-certificates/cacert.crt sudo update-ca-certificates --fresh
For more information see: