Skip to content

Instantly share code, notes, and snippets.

@socheatsok78

socheatsok78/trusted_certificate_stores_on_linux_os_and_applications.md

Forked from CMCDragonkai/trusted_certificate_stores_on_linux_os_and_applications.md
Created November 13, 2023 08:57
Show Gist options
  • Save socheatsok78/b3d941ee3697aa0322c6b2c353edb04f to your computer and use it in GitHub Desktop.
Save socheatsok78/b3d941ee3697aa0322c6b2c353edb04f to your computer and use it in GitHub Desktop.
Download ZIP
SSL/TLS: Trusted Certificate Stores on Linux Operating Systems and Applications
Raw
trusted_certificate_stores_on_linux_os_and_applications.md

Trusted SSL/TLS Certificate Stores on Linux Operating Systems and Applications

The SSL/TLS store location is not standardised across operating systems or even Linux distros. It could be anywhere in:

  • /etc/ssl/certs
  • /etc/pki/tls/certs/ca-bundle.crt
  • /etc/ssl/certs/ca-bundle.crt
  • /etc/pki/tls/certs/ca-bundle.trust.crt
  • /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
  • /System/Library/OpenSSL (OSX)

It could be a file, or it could be a hashed directory.

Furthermore, not every single application uses the OS certificate store. Some applications like Firefox and HTTPIE bundle their own certificate store for use.

All of this means, updating the certificate store on your OS does not mean all applications can make use of the new updated certificates. Every application needs to be updated on a case by case basis.

Most applications that bundle their own certificates allows you to override the certificate path to a PEM file or a c_rehash hashed directory (a hashed directory option is rare). For curl this means using the ~/.curlrc and setting: cacert = /certificates.pem. For libcurl in PHP, this means editing the php.ini. But some applications like Firefox does not allow you to point to the OS certificates, you have to update the certificates the Firefox way.

So beware of any application that uses the network, and uses SSL/TLS. Make sure to note of how it locates its certificates, whether it bundles its own, whether it allows you to override the certificate path, it can save you a lot of headaches later wondering why a particular application cannot access a certain URL.

Updating OS certificate stores are also OS/distro specific. Sometimes the distro packages will be out of date, and new CA changes may take a while to propagate. You can instead add certificates from curl's main website, they keep it updated by ripping certificates from Firefox. This is how you would do it in Ubuntu:

# first install/update from package manager
sudo apt-get install ca-certificates
# yes, it is downloading via HTTP, not sure why haxx.se hasn't implemented HTTPS
sudo curl http://curl.haxx.se/ca/cacert.pem -o /usr/local/share/ca-certificates/cacert.crt
sudo update-ca-certificates --fresh

For more information see:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment