- stop committing generated man/completion files in contrib/ - generate man page and shell completions during Meson install via install-generated-docs.sh - switch reqwest to native-tls and add Mozilla hg bootstrap certs with openssl fallback fetch - make certdata sync use a temporary auto-cleaned workspace by default - add BLFS/make-ca compatibility outputs and symlinks under /etc/pki and /etc/ssl - validate extracted outputs are non-empty and add tests for temp sync output behavior
ca-certs
ca-certs is a Linux CLI for managing CA trust store sources and extracted bundles in a p11-kit / trust (update-ca-trust-style) layout.
It supports:
- adding PEM CA certificates to
trust-source/anchors - regenerating extracted trust outputs (PEM bundles, OpenSSL bundle, Java cacerts, hash dir)
- syncing
/etc/ssl/certssymlinks for the standard extraction path - fetching/parsing/converting Mozilla NSS
certdata.txtinto ap11-kittrust source - operating on an alternate root filesystem with
--root(image/chroot builds)
Requirements
- Linux (the tool exits on non-Linux targets)
trust(fromp11-kit) available inPATHopensslavailable inPATHforcertdata convert/certdata syncchrootavailable inPATHwhen using--rootwith a non-/rootfs- permission to write system trust paths (typically root)
Build
Cargo
cargo build --release
Binary output:
target/release/ca-certs
Meson (packaging-friendly)
Builds the Rust binary and generates man/completion artifacts during install.
meson setup build
meson compile -C build
meson install -C build
What It Manages
Default source and output paths mirror common update-ca-trust / p11-kit layouts:
- anchors:
/etc/ca-certificates/trust-source/anchors - extracted output dir:
/etc/ca-certificates/extracted - OpenSSL cert symlink dir:
/etc/ssl/certs - Java cacerts symlink:
/etc/ssl/certs/java/cacerts - Mozilla trust source (for
certdata convert/sync):/usr/share/ca-certificates/trust-source/mozilla.trust.p11-kit
extract generates:
tls-ca-bundle.pememail-ca-bundle.pemobjsign-ca-bundle.pemca-bundle.trust.crtedk2-cacerts.binjava-cacerts.jkscadir/(hashed cert directory)
Usage
Show help:
ca-certs --help
ca-certs add --help
ca-certs extract --help
ca-certs certdata --help
Add a CA certificate
Adds a PEM certificate to the anchors directory and refreshes extracted outputs by default.
sudo ca-certs add /path/to/company-root.pem
Specify a custom anchor name:
sudo ca-certs add /path/to/company-root.pem --name company-root
Add without extraction:
sudo ca-certs add /path/to/company-root.pem --no-extract
Dry-run:
ca-certs add /path/to/company-root.pem --dry-run
Regenerate extracted trust outputs
sudo ca-certs extract
Write extracted outputs to a custom directory (skips /etc/ssl/certs symlink sync for custom output):
sudo ca-certs extract --output /tmp/ca-extracted
Work on a rootfs/chroot image
sudo ca-certs extract --root /mnt/image
sudo ca-certs add /path/to/company-root.pem --root /mnt/image
Mozilla certdata.txt workflow
The certdata command supports a fetch/parse/convert/sync pipeline for Mozilla NSS trust data.
Fetch certdata.txt:
ca-certs certdata fetch --output certdata.txt
Parse and print a summary:
ca-certs certdata parse certdata.txt
Convert to a p11-kit trust source and extract outputs:
sudo ca-certs certdata convert certdata.txt
Run the full pipeline (fetch -> convert -> extract):
sudo ca-certs certdata sync
Use --dry-run on these commands to preview actions without modifying files.
Development
Run tests:
cargo test
Man page and shell completions are generated by ca-certs gen-artifacts.
License
MIT. See LICENSE.