Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
SSL/TLS: Trusted Certificate Stores on Linux Operating Systems and Applications

Trusted SSL/TLS Certificate Stores on Linux Operating Systems and Applications

The SSL/TLS store location is not standardised across operating systems or even Linux distros. It could be anywhere in:

  • /etc/ssl/certs
  • /etc/pki/tls/certs/ca-bundle.crt
  • /etc/ssl/certs/ca-bundle.crt
  • /etc/pki/tls/certs/ca-bundle.trust.crt
  • /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
  • /System/Library/OpenSSL (OSX)

It could be a file, or it could be a hashed directory.

Furthermore, not every single application uses the OS certificate store. Some applications like Firefox and HTTPIE bundle their own certificate store for use.

All of this means, updating the certificate store on your OS does not mean all applications can make use of the new updated certificates. Every application needs to be updated on a case by case basis.

Most applications that bundle their own certificates allows you to override the certificate path to a PEM file or a c_rehash hashed directory (a hashed directory option is rare). For curl this means using the ~/.curlrc and setting: cacert = /certificates.pem. For libcurl in PHP, this means editing the php.ini. But some applications like Firefox does not allow you to point to the OS certificates, you have to update the certificates the Firefox way.

So beware of any application that uses the network, and uses SSL/TLS. Make sure to note of how it locates its certificates, whether it bundles its own, whether it allows you to override the certificate path, it can save you a lot of headaches later wondering why a particular application cannot access a certain URL.

Updating OS certificate stores are also OS/distro specific. Sometimes the distro packages will be out of date, and new CA changes may take a while to propagate. You can instead add certificates from curl's main website, they keep it updated by ripping certificates from Firefox. This is how you would do it in Ubuntu:

# first install/update from package manager
sudo apt-get install ca-certificates
# yes, it is downloading via HTTP, not sure why haxx.se hasn't implemented HTTPS
sudo curl http://curl.haxx.se/ca/cacert.pem -o /usr/local/share/ca-certificates/cacert.crt
sudo update-ca-certificates --fresh

For more information see:

@CMCDragonkai

This comment has been minimized.

Copy link
Owner Author

@CMCDragonkai CMCDragonkai commented Oct 16, 2018

Note that this affect containers as well!

@CMCDragonkai

This comment has been minimized.

Copy link
Owner Author

@CMCDragonkai CMCDragonkai commented Jan 15, 2020

Also note that many applications use NSS instead: https://wiki.archlinux.org/index.php/Network_Security_Services
This means their certificate trust store is located in ~/.pki/nssdb and /etc/pki/nssdb. Note that mozilla even stores their NSSDB in their "profile" locations like ~/.mozilla/firefox/*.default-*.

See this for more information: https://wiki.gentoo.org/wiki/Certificates and https://wiki.gentoo.org/wiki/Certificates

Dealing with NSS requires nss tools like certutil. You can install this on NixOS with nss.tools or nssTools attribute. It has to go into the ~/.config/nixpkgs/config.nix though!

There's no simple way of installing certificates system-wide or user-wide for all applications! So these certs really have to be thought of as per-application things.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment