SSL/TLS: Trusted Certificate Stores on Linux Operating Systems and Applications

trusted_certificate_stores_on_linux_os_and_applications.md

Trusted SSL/TLS Certificate Stores on Linux Operating Systems and Applications

The SSL/TLS store location is not standardised across operating systems or even Linux distros. It could be anywhere in:

• /etc/ssl/certs
• /etc/pki/tls/certs/ca-bundle.crt
• /etc/ssl/certs/ca-bundle.crt
• /etc/pki/tls/certs/ca-bundle.trust.crt
• /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
• /System/Library/OpenSSL (OSX)

It could be a file, or it could be a hashed directory.

Furthermore, not every single application uses the OS certificate store. Some applications like Firefox and HTTPIE bundle their own certificate store for use.

All of this means, updating the certificate store on your OS does not mean all applications can make use of the new updated certificates. Every application needs to be updated on a case by case basis.

Most applications that bundle their own certificates allows you to override the certificate path to a PEM file or a c_rehash hashed directory (a hashed directory option is rare). For curl this means using the ~/.curlrc and setting: cacert = /certificates.pem. For libcurl in PHP, this means editing the php.ini. But some applications like Firefox does not allow you to point to the OS certificates, you have to update the certificates the Firefox way.

So beware of any application that uses the network, and uses SSL/TLS. Make sure to note of how it locates its certificates, whether it bundles its own, whether it allows you to override the certificate path, it can save you a lot of headaches later wondering why a particular application cannot access a certain URL.

Updating OS certificate stores are also OS/distro specific. Sometimes the distro packages will be out of date, and new CA changes may take a while to propagate. You can instead add certificates from curl's main website, they keep it updated by ripping certificates from Firefox. This is how you would do it in Ubuntu:

# first install/update from package manager
sudo apt-get install ca-certificates
# yes, it is downloading via HTTP, not sure why haxx.se hasn't implemented HTTPS
sudo curl http://curl.haxx.se/ca/cacert.pem -o /usr/local/share/ca-certificates/cacert.crt
sudo update-ca-certificates --fresh

For more information see:

• https://www.happyassassin.net/2015/01/12/a-note-about-ssltls-trusted-certificate-stores-and-platforms/
• https://www.openssl.org/docs/man1.0.2/apps/c_rehash.html
• http://stackoverflow.com/a/27774415/582917

Note that this affect containers as well!

Also note that many applications use NSS instead: https://wiki.archlinux.org/index.php/Network_Security_Services
This means their certificate trust store is located in ~/.pki/nssdb and /etc/pki/nssdb. Note that mozilla even stores their NSSDB in their "profile" locations like ~/.mozilla/firefox/*.default-*.

See this for more information: https://wiki.gentoo.org/wiki/Certificates and https://wiki.gentoo.org/wiki/Certificates

Dealing with NSS requires nss tools like certutil. You can install this on NixOS with nss.tools or nssTools attribute. It has to go into the ~/.config/nixpkgs/config.nix though!

There's no simple way of installing certificates system-wide or user-wide for all applications! So these certs really have to be thought of as per-application things.