- Manual section
clrtrust is a tool for generating and managing a centralized trusted certificate store.
clrtrust [-v|--verbose] [-h|--help] [-c|--internal-rehash] <command> [options]
A trust store contains a set of X.509 certificates which the operating system and applications should consider trustworthy.
clrtrust tool provides a frontend for centralized trust store
management. It allows for adding (trusting) and removing (distrusting)
certificate authorities (CAs). It also provides maintenance commands for
viewing and re-generating the trust store.
Certificates can be provided by the operating system for out-of-box functionality. Certificates can also be provided and modified by privileged users.
It is up to each application to make use of the trust store generated by
Usage: clrtrust [-v|--verbose] [-h|--help] [-c|--internal-rehash] <command> [options] -v | --verbose Shows more details about execution -c | --internal-rehash Forces use of internal implementation of c_rehash -h | --help Prints this message Commands generate generates the trust store list list CAs add add trust to a CA remove remove trust to a CA restore restore trust to previously removed CA check sanity/consistency check of the trust store clrtrust <command> --help to get help on specific command.
Commands that modify the trust store require root privileges.
clrtrust generate [-f|--force]
generate command has no arguments and generates a unified trust
store composed of system-provided and user-provided certificates, if
any. The optional
--force parameter will forcibly generate the trust
store, even if it results in an empty store. See the FILES section for
paths used for trust store generation.
list command has no arguments and outputs a list of trusted
certificates with the following fields:
id uniquely identifies the certificate. It can be used as input to
clrtrust commands such as
File contains the file path of the certificate in the trust store.
Authority shows the name of the organization that issued the
certificate. This field is extracted from the certificate file.
Expires shows the expiration date of the certificate. This field is
extracted from the certificate file.
clrtust add [<certificateFile> ...] [-f|--force]
add command takes one or more certificates as required
argument(s). The certificate is identified by a file path. The
certificate file(s) must be PEM-encoded with only one certificate per
file. The optional
--force parameter will forcibly add the
certificate to the trust store, even if it is not a root CA.
Adding a root CA to the trust store allows applications using the trust store to trust the root CA certificate, trust certificate chains issued by the authority, verify the authenticity of peer’s certificate, and establish a connection.
clrtrust remove [<certificateFile|id> ...]
remove command takes one or more certificates as required
argument(s). The certificate is identified by a file path or
argument can be an
id of the certificate (see the
or the file path of the certificate.
Removing a root CA from the trust store distrusts the certificate for applications using the trust store. Certificate chains issued by the authority will no longer be trusted, authenticity of the peer’s certificate will no longer be verified, and a connection will not be established.
check command has no arguments and validate the consistency of a
previously generated unified trust store.
View the list of trusted CAs¶
The command above outputs a list of trusted certificates in the format below:
id: FA:B7:EE:36:97:26:62:FB:2D:B0:2A:F6:BF:03:FD:E8:7C:4B:2F:9B File: /var/cache/ca-certs/anchors/certSIGN_ROOT_CA.crt Authority: /C=RO/O=certSIGN/OU=certSIGN ROOT CA Expires: Jul 4 17:20:04 2031 GMT
The certificate can be further inspected using the
command. For example:
openssl x509 -in /var/cache/ca-certs/anchors/certSIGN_ROOT_CA.crt -noout -text
Add (trust) a root CA¶
clrtrust add ~/PrivateCA.pem
The command above will add a root CA certificate located in the
~/PrivateCA.pem file. If the certificate file is not in the PEM
openssl x509 command to convert to PEM first. For
openssl x509 -in PrivateCA.cer -inform der -out PrivateCA.pem -outform pem
Remove (distrust) a root CA¶
clrtrust remove ~/PrivateCA.pem
The command above will remove a root CA certificate located in the
~/PrivateCA.pem file from the trust store and distrust it.
Generated directory of certificates and verification keys. Do not modify
contents outside of
Operating-system provided certificates and keys. Do not modify contents
Generated directory of user-supplied certificates and verification keys.
Do not modify contents outside of