1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
|
.\" Hey, EMACS: -*- nroff -*-
.\" First parameter, NAME, should be all caps
.\" Second parameter, SECTION, should be 1-8, maybe w/ subsection
.\" other parameters are allowed: see man(7), man(1)
.TH UPDATE-CA-CERTIFICATES 8 "20 April 2003"
.\" Please adjust this date whenever revising the manpage.
.\"
.\" Some roff macros, for reference:
.\" .nh disable hyphenation
.\" .hy enable hyphenation
.\" .ad l left justify
.\" .ad b justify to both left and right margins
.\" .nf disable filling
.\" .fi enable filling
.\" .br insert line break
.\" .sp <n> insert n+1 empty lines
.\" for manpage-specific macros, see man(7)
.SH NAME
update-ca-certificates \- update /etc/ssl/certs and ca-certificates.crt
.SH SYNOPSIS
.B update-ca-certificates
.RI [ options ]
.SH DESCRIPTION
This manual page documents briefly the
.B update-ca-certificates
command.
.PP
\fBupdate-ca-certificates\fP is a program that manages the collection of
TLS certificates for the local machine and generates ca-certificates.crt.
ca-certificates.crt is a single-file of concatenated certificates.
The collection of individual certificates is stored at /etc/ssl/certs.
.PP
The program reads the configuration file /etc/ca-certificates.conf. Each line
gives a pathname of a CA certificate under /usr/share/ca-certificates that
should be trusted. Lines that begin with "#" are comment lines and thus ignored.
Lines that begin with "!" are deselected, causing the deactivation of the CA
certificate in question.
.PP
Certificates must be in PEM format and have a .crt extension in order to be
included by update-ca-certificates. Furthermore, all certificates with a .crt
extension found below /usr/local/share/ca-certificates are also included and
implicitly trusted.
.PP
To add one or more certificates to the machine, copy the certificates in PEM
format with the *.crt extension to /usr/local/share/ca-certificates. There
should be one certificate per file, and not multiple certificates in a single
file. Then run update-ca-certificates to merge the new certificates into the
existing machine store at /etc/ssl/certs.
.PP
Before terminating, \fBupdate-ca-certificates\fP invokes
\fBrun-parts\fP on /etc/ca-certificates/update.d and calls each hook with
a list of certificates: those added are prefixed with a +, those removed are
prefixed with a -.
.SH OPTIONS
A summary of options is included below.
.TP
.B \-h, \-\-help
Show summary of options.
.TP
.B \-v, \-\-verbose
Be verbose. Output \fBopenssl rehash\fP.
.TP
.B \-f, \-\-fresh
Fresh updates. Remove symlinks in /etc/ssl/certs directory.
.TP
.B \-\-certsconf
Change the configuration file. By default, the file
/etc/ca-certificates.conf is used.
.TP
.B \-\-certsdir
Change the certificate directory. By default, the directory
/usr/share/ca-certificates is used.
.TP
.B \-\-localcertsdir
Change the local certificate directory. By default, the directory
/usr/local/share/ca-certificates is used.
.TP
.B \-\-etccertsdir
Change the /etc certificate directory. By default, the directory
/etc/ssl/certs is used.
.TP
.SH FILES
.TP
.I /etc/ca-certificates.conf
A configuration file.
.TP
.I /etc/ssl/certs/ca-certificates.crt
A single-file version of CA certificates. This holds all CA certificates
that were activated in /etc/ca-certificates.conf.
.TP
.I /usr/share/ca-certificates
Directory of CA certificates provided by the distribution.
.TP
.I /usr/local/share/ca-certificates
Directory of local CA certificates, with .crt extension, provided by the user.
.SH SEE ALSO
.BR openssl (1)
.SH AUTHOR
This manual page was written by Fumitoshi UKAI <ukai@debian.or.jp>,
for the Debian project (but may be used by others).
|
