# ca-certs `ca-certs` is a Linux CLI for managing CA trust store sources and extracted bundles in a `p11-kit` / `trust` (`update-ca-trust`-style) layout. It supports: - adding PEM CA certificates to `trust-source/anchors` - regenerating extracted trust outputs (PEM bundles, OpenSSL bundle, Java cacerts, hash dir) - syncing `/etc/ssl/certs` symlinks for the standard extraction path - fetching/parsing/converting Mozilla NSS `certdata.txt` into a `p11-kit` trust source - operating on an alternate root filesystem with `--root` (image/chroot builds) ## Requirements - Linux (the tool exits on non-Linux targets) - `trust` (from `p11-kit`) available in `PATH` - `openssl` available in `PATH` for `certdata convert` / `certdata sync` - `chroot` available in `PATH` when using `--root` with a non-`/` rootfs - permission to write system trust paths (typically root) ## Build ### Cargo ```bash cargo build --release ``` Binary output: ```text target/release/ca-certs ``` ### Meson (packaging-friendly) Builds the Rust binary and generates man/completion artifacts during install. ```bash meson setup build meson compile -C build meson install -C build ``` ## What It Manages Default source and output paths mirror common `update-ca-trust` / `p11-kit` layouts: - anchors: `/etc/ca-certificates/trust-source/anchors` - extracted output dir: `/etc/ca-certificates/extracted` - OpenSSL cert symlink dir: `/etc/ssl/certs` - Java cacerts symlink: `/etc/ssl/certs/java/cacerts` - Mozilla trust source (for `certdata convert/sync`): `/usr/share/ca-certificates/trust-source/mozilla.trust.p11-kit` `extract` generates: - `tls-ca-bundle.pem` - `email-ca-bundle.pem` - `objsign-ca-bundle.pem` - `ca-bundle.trust.crt` - `edk2-cacerts.bin` - `java-cacerts.jks` - `cadir/` (hashed cert directory) ## Usage Show help: ```bash ca-certs --help ca-certs add --help ca-certs extract --help ca-certs certdata --help ``` ### Add a CA certificate Adds a PEM certificate to the anchors directory and refreshes extracted outputs by default. ```bash sudo ca-certs add /path/to/company-root.pem ``` Specify a custom anchor name: ```bash sudo ca-certs add /path/to/company-root.pem --name company-root ``` Add without extraction: ```bash sudo ca-certs add /path/to/company-root.pem --no-extract ``` Dry-run: ```bash ca-certs add /path/to/company-root.pem --dry-run ``` ### Regenerate extracted trust outputs ```bash sudo ca-certs extract ``` Write extracted outputs to a custom directory (skips `/etc/ssl/certs` symlink sync for custom output): ```bash sudo ca-certs extract --output /tmp/ca-extracted ``` ### Work on a rootfs/chroot image ```bash sudo ca-certs extract --root /mnt/image sudo ca-certs add /path/to/company-root.pem --root /mnt/image ``` ## Mozilla `certdata.txt` workflow The `certdata` command supports a fetch/parse/convert/sync pipeline for Mozilla NSS trust data. Fetch `certdata.txt`: ```bash ca-certs certdata fetch --output certdata.txt ``` Parse and print a summary: ```bash ca-certs certdata parse certdata.txt ``` Convert to a `p11-kit` trust source and extract outputs: ```bash sudo ca-certs certdata convert certdata.txt ``` Run the full pipeline (fetch -> convert -> extract): ```bash sudo ca-certs certdata sync ``` Use `--dry-run` on these commands to preview actions without modifying files. ## Development Run tests: ```bash cargo test ``` Man page and shell completions are generated by `ca-certs gen-artifacts`. ## License MIT. See `LICENSE`.