Files
ca-certs/README.md
T
SFG545 11580aebcf ca-certs: generate install artifacts and improve certdata/trust-store compatibility
- stop committing generated man/completion files in contrib/
- generate man page and shell completions during Meson install via install-generated-docs.sh
- switch reqwest to native-tls and add Mozilla hg bootstrap certs with openssl fallback fetch
- make certdata sync use a temporary auto-cleaned workspace by default
- add BLFS/make-ca compatibility outputs and symlinks under /etc/pki and /etc/ssl
- validate extracted outputs are non-empty and add tests for temp sync output behavior
2026-02-28 00:47:16 -06:00

3.4 KiB

ca-certs

ca-certs is a Linux CLI for managing CA trust store sources and extracted bundles in a p11-kit / trust (update-ca-trust-style) layout.

It supports:

  • adding PEM CA certificates to trust-source/anchors
  • regenerating extracted trust outputs (PEM bundles, OpenSSL bundle, Java cacerts, hash dir)
  • syncing /etc/ssl/certs symlinks for the standard extraction path
  • fetching/parsing/converting Mozilla NSS certdata.txt into a p11-kit trust source
  • operating on an alternate root filesystem with --root (image/chroot builds)

Requirements

  • Linux (the tool exits on non-Linux targets)
  • trust (from p11-kit) available in PATH
  • openssl available in PATH for certdata convert / certdata sync
  • chroot available in PATH when using --root with a non-/ rootfs
  • permission to write system trust paths (typically root)

Build

Cargo

cargo build --release

Binary output:

target/release/ca-certs

Meson (packaging-friendly)

Builds the Rust binary and generates man/completion artifacts during install.

meson setup build
meson compile -C build
meson install -C build

What It Manages

Default source and output paths mirror common update-ca-trust / p11-kit layouts:

  • anchors: /etc/ca-certificates/trust-source/anchors
  • extracted output dir: /etc/ca-certificates/extracted
  • OpenSSL cert symlink dir: /etc/ssl/certs
  • Java cacerts symlink: /etc/ssl/certs/java/cacerts
  • Mozilla trust source (for certdata convert/sync): /usr/share/ca-certificates/trust-source/mozilla.trust.p11-kit

extract generates:

  • tls-ca-bundle.pem
  • email-ca-bundle.pem
  • objsign-ca-bundle.pem
  • ca-bundle.trust.crt
  • edk2-cacerts.bin
  • java-cacerts.jks
  • cadir/ (hashed cert directory)

Usage

Show help:

ca-certs --help
ca-certs add --help
ca-certs extract --help
ca-certs certdata --help

Add a CA certificate

Adds a PEM certificate to the anchors directory and refreshes extracted outputs by default.

sudo ca-certs add /path/to/company-root.pem

Specify a custom anchor name:

sudo ca-certs add /path/to/company-root.pem --name company-root

Add without extraction:

sudo ca-certs add /path/to/company-root.pem --no-extract

Dry-run:

ca-certs add /path/to/company-root.pem --dry-run

Regenerate extracted trust outputs

sudo ca-certs extract

Write extracted outputs to a custom directory (skips /etc/ssl/certs symlink sync for custom output):

sudo ca-certs extract --output /tmp/ca-extracted

Work on a rootfs/chroot image

sudo ca-certs extract --root /mnt/image
sudo ca-certs add /path/to/company-root.pem --root /mnt/image

Mozilla certdata.txt workflow

The certdata command supports a fetch/parse/convert/sync pipeline for Mozilla NSS trust data.

Fetch certdata.txt:

ca-certs certdata fetch --output certdata.txt

Parse and print a summary:

ca-certs certdata parse certdata.txt

Convert to a p11-kit trust source and extract outputs:

sudo ca-certs certdata convert certdata.txt

Run the full pipeline (fetch -> convert -> extract):

sudo ca-certs certdata sync

Use --dry-run on these commands to preview actions without modifying files.

Development

Run tests:

cargo test

Man page and shell completions are generated by ca-certs gen-artifacts.

License

MIT. See LICENSE.