summaryrefslogtreecommitdiffstats
path: root/sbin/update-ca-certificates.8
diff options
context:
space:
mode:
Diffstat (limited to 'sbin/update-ca-certificates.8')
-rw-r--r--sbin/update-ca-certificates.8100
1 files changed, 100 insertions, 0 deletions
diff --git a/sbin/update-ca-certificates.8 b/sbin/update-ca-certificates.8
new file mode 100644
index 0000000..6b11566
--- /dev/null
+++ b/sbin/update-ca-certificates.8
@@ -0,0 +1,100 @@
+.\" Hey, EMACS: -*- nroff -*-
+.\" First parameter, NAME, should be all caps
+.\" Second parameter, SECTION, should be 1-8, maybe w/ subsection
+.\" other parameters are allowed: see man(7), man(1)
+.TH UPDATE-CA-CERTIFICATES 8 "20 April 2003"
+.\" Please adjust this date whenever revising the manpage.
+.\"
+.\" Some roff macros, for reference:
+.\" .nh disable hyphenation
+.\" .hy enable hyphenation
+.\" .ad l left justify
+.\" .ad b justify to both left and right margins
+.\" .nf disable filling
+.\" .fi enable filling
+.\" .br insert line break
+.\" .sp <n> insert n+1 empty lines
+.\" for manpage-specific macros, see man(7)
+.SH NAME
+update-ca-certificates \- update /etc/ssl/certs and ca-certificates.crt
+.SH SYNOPSIS
+.B update-ca-certificates
+.RI [ options ]
+.SH DESCRIPTION
+This manual page documents briefly the
+.B update-ca-certificates
+command.
+.PP
+\fBupdate-ca-certificates\fP is a program that manages the collection of
+TLS certificates for the local machine and generates ca-certificates.crt.
+ca-certificates.crt is a single-file of concatenated certificates.
+The collection of individual certificates is stored at /etc/ssl/certs.
+.PP
+The program reads the configuration file /etc/ca-certificates.conf. Each line
+gives a pathname of a CA certificate under /usr/share/ca-certificates that
+should be trusted. Lines that begin with "#" are comment lines and thus ignored.
+Lines that begin with "!" are deselected, causing the deactivation of the CA
+certificate in question.
+.PP
+Certificates must be in PEM format and have a .crt extension in order to be
+included by update-ca-certificates. Furthermore, all certificates with a .crt
+extension found below /usr/local/share/ca-certificates are also included and
+implicitly trusted.
+.PP
+To add one or more certificates to the machine, copy the certificates in PEM
+format with the *.crt extension to /usr/local/share/ca-certificates. There
+should be one certificate per file, and not multiple certificates in a single
+file. Then run update-ca-certificates to merge the new certificates into the
+existing machine store at /etc/ssl/certs.
+.PP
+Before terminating, \fBupdate-ca-certificates\fP invokes
+\fBrun-parts\fP on /etc/ca-certificates/update.d and calls each hook with
+a list of certificates: those added are prefixed with a +, those removed are
+prefixed with a -.
+.SH OPTIONS
+A summary of options is included below.
+.TP
+.B \-h, \-\-help
+Show summary of options.
+.TP
+.B \-v, \-\-verbose
+Be verbose. Output \fBopenssl rehash\fP.
+.TP
+.B \-f, \-\-fresh
+Fresh updates. Remove symlinks in /etc/ssl/certs directory.
+.TP
+.B \-\-certsconf
+Change the configuration file. By default, the file
+/etc/ca-certificates.conf is used.
+.TP
+.B \-\-certsdir
+Change the certificate directory. By default, the directory
+/usr/share/ca-certificates is used.
+.TP
+.B \-\-localcertsdir
+Change the local certificate directory. By default, the directory
+/usr/local/share/ca-certificates is used.
+.TP
+.B \-\-etccertsdir
+Change the /etc certificate directory. By default, the directory
+/etc/ssl/certs is used.
+.TP
+.SH FILES
+.TP
+.I /etc/ca-certificates.conf
+A configuration file.
+.TP
+.I /etc/ssl/certs/ca-certificates.crt
+A single-file version of CA certificates. This holds all CA certificates
+that were activated in /etc/ca-certificates.conf.
+.TP
+.I /usr/share/ca-certificates
+Directory of CA certificates provided by the distribution.
+.TP
+.I /usr/local/share/ca-certificates
+Directory of local CA certificates, with .crt extension, provided by the user.
+.SH SEE ALSO
+.BR openssl (1)
+.SH AUTHOR
+This manual page was written by Fumitoshi UKAI <ukai@debian.or.jp>,
+for the Debian project (but may be used by others).