initial commit

This commit is contained in:
2026-02-23 20:06:44 -06:00
parent 0a5a6c6a1d
commit 53104542f7
11 changed files with 5070 additions and 0 deletions
+163
View File
@@ -0,0 +1,163 @@
# ca-certs
`ca-certs` is a Linux CLI for managing CA trust store sources and extracted bundles in a `p11-kit` / `trust` (`update-ca-trust`-style) layout.
It supports:
- adding PEM CA certificates to `trust-source/anchors`
- regenerating extracted trust outputs (PEM bundles, OpenSSL bundle, Java cacerts, hash dir)
- syncing `/etc/ssl/certs` symlinks for the standard extraction path
- fetching/parsing/converting Mozilla NSS `certdata.txt` into a `p11-kit` trust source
- operating on an alternate root filesystem with `--root` (image/chroot builds)
## Requirements
- Linux (the tool exits on non-Linux targets)
- `trust` (from `p11-kit`) available in `PATH`
- `openssl` available in `PATH` for `certdata convert` / `certdata sync`
- `chroot` available in `PATH` when using `--root` with a non-`/` rootfs
- permission to write system trust paths (typically root)
## Build
### Cargo
```bash
cargo build --release
```
Binary output:
```text
target/release/ca-certs
```
### Meson (packaging-friendly)
Builds the Rust binary and installs the man page + shell completions from `contrib/`.
```bash
meson setup build
meson compile -C build
meson install -C build
```
## What It Manages
Default source and output paths mirror common `update-ca-trust` / `p11-kit` layouts:
- anchors: `/etc/ca-certificates/trust-source/anchors`
- extracted output dir: `/etc/ca-certificates/extracted`
- OpenSSL cert symlink dir: `/etc/ssl/certs`
- Java cacerts symlink: `/etc/ssl/certs/java/cacerts`
- Mozilla trust source (for `certdata convert/sync`): `/usr/share/ca-certificates/trust-source/mozilla.trust.p11-kit`
`extract` generates:
- `tls-ca-bundle.pem`
- `email-ca-bundle.pem`
- `objsign-ca-bundle.pem`
- `ca-bundle.trust.crt`
- `edk2-cacerts.bin`
- `java-cacerts.jks`
- `cadir/` (hashed cert directory)
## Usage
Show help:
```bash
ca-certs --help
ca-certs add --help
ca-certs extract --help
ca-certs certdata --help
```
### Add a CA certificate
Adds a PEM certificate to the anchors directory and refreshes extracted outputs by default.
```bash
sudo ca-certs add /path/to/company-root.pem
```
Specify a custom anchor name:
```bash
sudo ca-certs add /path/to/company-root.pem --name company-root
```
Add without extraction:
```bash
sudo ca-certs add /path/to/company-root.pem --no-extract
```
Dry-run:
```bash
ca-certs add /path/to/company-root.pem --dry-run
```
### Regenerate extracted trust outputs
```bash
sudo ca-certs extract
```
Write extracted outputs to a custom directory (skips `/etc/ssl/certs` symlink sync for custom output):
```bash
sudo ca-certs extract --output /tmp/ca-extracted
```
### Work on a rootfs/chroot image
```bash
sudo ca-certs extract --root /mnt/image
sudo ca-certs add /path/to/company-root.pem --root /mnt/image
```
## Mozilla `certdata.txt` workflow
The `certdata` command supports a fetch/parse/convert/sync pipeline for Mozilla NSS trust data.
Fetch `certdata.txt`:
```bash
ca-certs certdata fetch --output certdata.txt
```
Parse and print a summary:
```bash
ca-certs certdata parse certdata.txt
```
Convert to a `p11-kit` trust source and extract outputs:
```bash
sudo ca-certs certdata convert certdata.txt
```
Run the full pipeline (fetch -> convert -> extract):
```bash
sudo ca-certs certdata sync
```
Use `--dry-run` on these commands to preview actions without modifying files.
## Development
Run tests:
```bash
cargo test
```
The repository also includes a generated man page and shell completions under `contrib/`.
## License
MIT. See `LICENSE`.