Skip to content


Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Latest commit

Ensure --root option propagates prefix properly to other scripts

Git stats


Failed to load latest commit information.

Utilities for system wide CA certificate installation

update-ca-certificates is intended to keep the certificate stores of
various components in sync with the system CA certificates.

The canonical source of CA certificates is what p11-kit knows about.
By default p11-kit looks into /usr/share/pki/trust/ resp
/etc/pki/trust/ but there could be other plugins that serve as
source for certificates as well.

Supported Certificate Stores

update-ca-certificate supports a number of legacy certificate stores
for applications that don't talk to p11-kit directly yet. It does so
by generating the certificate stores in /var/lib/ca-certificates and
having symlinks from the locations where applications expect those

- /etc/ssl/certs: Hashed directory readable by openSSL. Only for
  legacy applications. Only contains CA certificates for server-auth
  purpose. Avoid using this in applications.
- /etc/ssl/ca-bundle.pem: Concatenated bundle of CA certificates
  with server-auth purpose. Avoid using this in applications.
- java-cacerts: Key store fore Java. Only filled with CA
  certificates with purpose server-auth.
- openssl: hashed directory with CA certificates of all purposes.
  Your system openSSL knows how to read that, don't hardcode the
  path! Call SSL_CTX_set_default_verify_paths() instead.

Differences to previous versions on openSUSE

- Packages are expected to install their CA certificates in
  /usr/share/pki/trust/anchors or /usr/share/pki/trust (no extra subdir) instead
  of /usr/share/ca-certificates/<vendor> now. The anchors subdirectory is for
  regular pem files, the directory one above for pem files in
  openssl's 'trusted' format.

- /etc/ca-certificates.conf is no longer supported. Just symlink the
  certificates you don't want to /etc/pki/trust/blacklist.

Differences to Debian

- /etc/ca-certificates.conf is not supported.
- Hook scripts don't receive the list of changed certificates on
  stdin. That allows scripts to have their own method to determine
- The command line arguments -v and -f are passed to hook scripts.
- All stores are created via hook scripts.


Utilities for system wide CA certificate installation







No packages published