Files
SFG545 11580aebcf ca-certs: generate install artifacts and improve certdata/trust-store compatibility
- stop committing generated man/completion files in contrib/
- generate man page and shell completions during Meson install via install-generated-docs.sh
- switch reqwest to native-tls and add Mozilla hg bootstrap certs with openssl fallback fetch
- make certdata sync use a temporary auto-cleaned workspace by default
- add BLFS/make-ca compatibility outputs and symlinks under /etc/pki and /etc/ssl
- validate extracted outputs are non-empty and add tests for temp sync output behavior
2026-02-28 00:47:16 -06:00

164 lines
3.4 KiB
Markdown

# ca-certs
`ca-certs` is a Linux CLI for managing CA trust store sources and extracted bundles in a `p11-kit` / `trust` (`update-ca-trust`-style) layout.
It supports:
- adding PEM CA certificates to `trust-source/anchors`
- regenerating extracted trust outputs (PEM bundles, OpenSSL bundle, Java cacerts, hash dir)
- syncing `/etc/ssl/certs` symlinks for the standard extraction path
- fetching/parsing/converting Mozilla NSS `certdata.txt` into a `p11-kit` trust source
- operating on an alternate root filesystem with `--root` (image/chroot builds)
## Requirements
- Linux (the tool exits on non-Linux targets)
- `trust` (from `p11-kit`) available in `PATH`
- `openssl` available in `PATH` for `certdata convert` / `certdata sync`
- `chroot` available in `PATH` when using `--root` with a non-`/` rootfs
- permission to write system trust paths (typically root)
## Build
### Cargo
```bash
cargo build --release
```
Binary output:
```text
target/release/ca-certs
```
### Meson (packaging-friendly)
Builds the Rust binary and generates man/completion artifacts during install.
```bash
meson setup build
meson compile -C build
meson install -C build
```
## What It Manages
Default source and output paths mirror common `update-ca-trust` / `p11-kit` layouts:
- anchors: `/etc/ca-certificates/trust-source/anchors`
- extracted output dir: `/etc/ca-certificates/extracted`
- OpenSSL cert symlink dir: `/etc/ssl/certs`
- Java cacerts symlink: `/etc/ssl/certs/java/cacerts`
- Mozilla trust source (for `certdata convert/sync`): `/usr/share/ca-certificates/trust-source/mozilla.trust.p11-kit`
`extract` generates:
- `tls-ca-bundle.pem`
- `email-ca-bundle.pem`
- `objsign-ca-bundle.pem`
- `ca-bundle.trust.crt`
- `edk2-cacerts.bin`
- `java-cacerts.jks`
- `cadir/` (hashed cert directory)
## Usage
Show help:
```bash
ca-certs --help
ca-certs add --help
ca-certs extract --help
ca-certs certdata --help
```
### Add a CA certificate
Adds a PEM certificate to the anchors directory and refreshes extracted outputs by default.
```bash
sudo ca-certs add /path/to/company-root.pem
```
Specify a custom anchor name:
```bash
sudo ca-certs add /path/to/company-root.pem --name company-root
```
Add without extraction:
```bash
sudo ca-certs add /path/to/company-root.pem --no-extract
```
Dry-run:
```bash
ca-certs add /path/to/company-root.pem --dry-run
```
### Regenerate extracted trust outputs
```bash
sudo ca-certs extract
```
Write extracted outputs to a custom directory (skips `/etc/ssl/certs` symlink sync for custom output):
```bash
sudo ca-certs extract --output /tmp/ca-extracted
```
### Work on a rootfs/chroot image
```bash
sudo ca-certs extract --root /mnt/image
sudo ca-certs add /path/to/company-root.pem --root /mnt/image
```
## Mozilla `certdata.txt` workflow
The `certdata` command supports a fetch/parse/convert/sync pipeline for Mozilla NSS trust data.
Fetch `certdata.txt`:
```bash
ca-certs certdata fetch --output certdata.txt
```
Parse and print a summary:
```bash
ca-certs certdata parse certdata.txt
```
Convert to a `p11-kit` trust source and extract outputs:
```bash
sudo ca-certs certdata convert certdata.txt
```
Run the full pipeline (fetch -> convert -> extract):
```bash
sudo ca-certs certdata sync
```
Use `--dry-run` on these commands to preview actions without modifying files.
## Development
Run tests:
```bash
cargo test
```
Man page and shell completions are generated by `ca-certs gen-artifacts`.
## License
MIT. See `LICENSE`.