- Manual section
clrtrust is a tool for generating and managing a centralized trusted certificate store.
clrtrust [-v|--verbose] [-h|--help] [-c|--internal-rehash] <command> [options]
A trust store contains a set of X.509 certificates which the operating system and applications should consider trustworthy.
clrtrust tool provides a frontend for centralized trust store
management. It allows for adding (trusting) and removing (distrusting)
certificate authorities (CAs). It also provides maintenance commands for
viewing and re-generating the trust store.
Certificates can be provided by the operating system for out-of-box functionality. Certificates can also be provided and modified by privileged users.
It is up to each application to make use of the trust store generated by
Usage: clrtrust [-v|--verbose] [-h|--help] [-c|--internal-rehash] <command> [options] -v | --verbose Shows more details about execution -c | --internal-rehash Forces use of internal implementation of c_rehash -h | --help Prints this message Commands generate generates the trust store list list CAs add add trust to a CA remove remove trust to a CA restore restore trust to previously removed CA check sanity/consistency check of the trust store clrtrust <command> --help to get help on specific command.
Commands that modify the trust store require root privileges.
clrtrust generate [-f|--force]
generatecommand has no arguments and generates a unified trust store composed of system-provided and user-provided certificates, if any. The optional
--forceparameter will forcibly generate the trust store, even if it results in an empty store. See the FILES section for paths used for trust store generation.
listcommand has no arguments and outputs a list of trusted certificates with the following fields:
iduniquely identifies the certificate. It can be used as input to other
clrtrustcommands such as
Filecontains the file path of the certificate in the trust store.
Authorityshows the name of the organization that issued the certificate. This field is extracted from the certificate file.
Expiresshows the expiration date of the certificate. This field is extracted from the certificate file.
clrtust add [<certificateFile> ...] [-f|--force]
addcommand takes one or more certificates as required argument(s). The certificate is identified by a file path. The certificate file(s) must be PEM-encoded with only one certificate per file. The optional
--forceparameter will forcibly add the certificate to the trust store, even if it is not a root CA.
Adding a root CA to the trust store allows applications using the trust store to trust the root CA certificate, trust certificate chains issued by the authority, verify the authenticity of peer’s certificate, and establish a connection.
clrtrust remove [<certificateFile|id> ...]
removecommand takes one or more certificates as required argument(s). The certificate is identified by a file path or
id. The argument can be an
idof the certificate (see the
listcommand) or the file path of the certificate.
Removing a root CA from the trust store distrusts the certificate for applications using the trust store. Certificate chains issued by the authority will no longer be trusted, authenticity of the peer’s certificate will no longer be verified, and a connection will not be established.
checkcommand has no arguments and validate the consistency of a previously generated unified trust store.
View the list of trusted CAs¶
The command above outputs a list of trusted certificates in the format below:
id: FA:B7:EE:36:97:26:62:FB:2D:B0:2A:F6:BF:03:FD:E8:7C:4B:2F:9B File: /var/cache/ca-certs/anchors/certSIGN_ROOT_CA.crt Authority: /C=RO/O=certSIGN/OU=certSIGN ROOT CA Expires: Jul 4 17:20:04 2031 GMT
The certificate can be further inspected using the
command. For example:
openssl x509 -in /var/cache/ca-certs/anchors/certSIGN_ROOT_CA.crt -noout -text
Add (trust) a root CA¶
clrtrust add ~/PrivateCA.pem
The command above will add a root CA certificate located in the
~/PrivateCA.pem file. If the certificate file is not in the PEM
openssl x509 command to convert to PEM first. For
openssl x509 -in PrivateCA.cer -inform der -out PrivateCA.pem -outform pem
Remove (distrust) a root CA¶
clrtrust remove ~/PrivateCA.pem
The command above will remove a root CA certificate located in the
~/PrivateCA.pem file from the trust store and distrust it.
Generated directory of certificates and verification keys. Do not modify
contents outside of
Operating-system provided certificates and keys. Do not modify contents
Generated directory of user-supplied certificates and verification keys.
Do not modify contents outside of