2026-02-23 20:06:44 -06:00
2026-02-23 20:06:44 -06:00
2026-02-23 20:06:44 -06:00
2026-02-23 20:06:44 -06:00
2026-02-23 20:06:44 -06:00
2026-02-23 20:06:44 -06:00
2026-02-23 20:06:44 -06:00
2026-02-23 20:06:44 -06:00

ca-certs

ca-certs is a Linux CLI for managing CA trust store sources and extracted bundles in a p11-kit / trust (update-ca-trust-style) layout.

It supports:

  • adding PEM CA certificates to trust-source/anchors
  • regenerating extracted trust outputs (PEM bundles, OpenSSL bundle, Java cacerts, hash dir)
  • syncing /etc/ssl/certs symlinks for the standard extraction path
  • fetching/parsing/converting Mozilla NSS certdata.txt into a p11-kit trust source
  • operating on an alternate root filesystem with --root (image/chroot builds)

Requirements

  • Linux (the tool exits on non-Linux targets)
  • trust (from p11-kit) available in PATH
  • openssl available in PATH for certdata convert / certdata sync
  • chroot available in PATH when using --root with a non-/ rootfs
  • permission to write system trust paths (typically root)

Build

Cargo

cargo build --release

Binary output:

target/release/ca-certs

Meson (packaging-friendly)

Builds the Rust binary and installs the man page + shell completions from contrib/.

meson setup build
meson compile -C build
meson install -C build

What It Manages

Default source and output paths mirror common update-ca-trust / p11-kit layouts:

  • anchors: /etc/ca-certificates/trust-source/anchors
  • extracted output dir: /etc/ca-certificates/extracted
  • OpenSSL cert symlink dir: /etc/ssl/certs
  • Java cacerts symlink: /etc/ssl/certs/java/cacerts
  • Mozilla trust source (for certdata convert/sync): /usr/share/ca-certificates/trust-source/mozilla.trust.p11-kit

extract generates:

  • tls-ca-bundle.pem
  • email-ca-bundle.pem
  • objsign-ca-bundle.pem
  • ca-bundle.trust.crt
  • edk2-cacerts.bin
  • java-cacerts.jks
  • cadir/ (hashed cert directory)

Usage

Show help:

ca-certs --help
ca-certs add --help
ca-certs extract --help
ca-certs certdata --help

Add a CA certificate

Adds a PEM certificate to the anchors directory and refreshes extracted outputs by default.

sudo ca-certs add /path/to/company-root.pem

Specify a custom anchor name:

sudo ca-certs add /path/to/company-root.pem --name company-root

Add without extraction:

sudo ca-certs add /path/to/company-root.pem --no-extract

Dry-run:

ca-certs add /path/to/company-root.pem --dry-run

Regenerate extracted trust outputs

sudo ca-certs extract

Write extracted outputs to a custom directory (skips /etc/ssl/certs symlink sync for custom output):

sudo ca-certs extract --output /tmp/ca-extracted

Work on a rootfs/chroot image

sudo ca-certs extract --root /mnt/image
sudo ca-certs add /path/to/company-root.pem --root /mnt/image

Mozilla certdata.txt workflow

The certdata command supports a fetch/parse/convert/sync pipeline for Mozilla NSS trust data.

Fetch certdata.txt:

ca-certs certdata fetch --output certdata.txt

Parse and print a summary:

ca-certs certdata parse certdata.txt

Convert to a p11-kit trust source and extract outputs:

sudo ca-certs certdata convert certdata.txt

Run the full pipeline (fetch -> convert -> extract):

sudo ca-certs certdata sync

Use --dry-run on these commands to preview actions without modifying files.

Development

Run tests:

cargo test

The repository also includes a generated man page and shell completions under contrib/.

License

MIT. See LICENSE.

S
Description
No description provided
Readme MIT 280 KiB
Languages
Rust 97.3%
Meson 1.8%
Shell 0.9%