Skip to content

Instantly share code, notes, and snippets.

Show Gist options
  • Save CMCDragonkai/f5f76b8eb13e7579aba3 to your computer and use it in GitHub Desktop.
Save CMCDragonkai/f5f76b8eb13e7579aba3 to your computer and use it in GitHub Desktop.
SSL/TLS: Trusted Certificate Stores on Linux Operating Systems and Applications

Trusted SSL/TLS Certificate Stores on Linux Operating Systems and Applications

The SSL/TLS store location is not standardised across operating systems or even Linux distros. It could be anywhere in:

  • /etc/ssl/certs
  • /etc/pki/tls/certs/ca-bundle.crt
  • /etc/ssl/certs/ca-bundle.crt
  • /etc/pki/tls/certs/
  • /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
  • /System/Library/OpenSSL (OSX)

It could be a file, or it could be a hashed directory.

Furthermore, not every single application uses the OS certificate store. Some applications like Firefox and HTTPIE bundle their own certificate store for use.

All of this means, updating the certificate store on your OS does not mean all applications can make use of the new updated certificates. Every application needs to be updated on a case by case basis.

Most applications that bundle their own certificates allows you to override the certificate path to a PEM file or a c_rehash hashed directory (a hashed directory option is rare). For curl this means using the ~/.curlrc and setting: cacert = /certificates.pem. For libcurl in PHP, this means editing the php.ini. But some applications like Firefox does not allow you to point to the OS certificates, you have to update the certificates the Firefox way.

So beware of any application that uses the network, and uses SSL/TLS. Make sure to note of how it locates its certificates, whether it bundles its own, whether it allows you to override the certificate path, it can save you a lot of headaches later wondering why a particular application cannot access a certain URL.

Updating OS certificate stores are also OS/distro specific. Sometimes the distro packages will be out of date, and new CA changes may take a while to propagate. You can instead add certificates from curl's main website, they keep it updated by ripping certificates from Firefox. This is how you would do it in Ubuntu:

# first install/update from package manager
sudo apt-get install ca-certificates
# yes, it is downloading via HTTP, not sure why hasn't implemented HTTPS
sudo curl -o /usr/local/share/ca-certificates/cacert.crt
sudo update-ca-certificates --fresh

For more information see:

Copy link

Note that this affect containers as well!

Copy link

CMCDragonkai commented Jan 15, 2020

Also note that many applications use NSS instead:
This means their certificate trust store is located in ~/.pki/nssdb and /etc/pki/nssdb. Note that mozilla even stores their NSSDB in their "profile" locations like ~/.mozilla/firefox/*.default-*.

See this for more information: and

Dealing with NSS requires nss tools like certutil. You can install this on NixOS with or nssTools attribute. It has to go into the ~/.config/nixpkgs/config.nix though!

There's no simple way of installing certificates system-wide or user-wide for all applications! So these certs really have to be thought of as per-application things.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment