trust

trust command [options]

trust manages the shared system trust policy store, which contains trusted CA certificates, blocklisted certificates, and trust policies. It allows administrators to add, remove, and extract trust anchors used for TLS/SSL verification across the system.Changes made with trust affect all applications that use the p11-kit trust module, providing a unified way to manage certificates rather than configuring each application individually.

list

List trust policy store items

Add a trust anchor to the store

Remove a trust anchor

Extract trust anchors in specified format.

Extract trust policy in a format compatible with the system's native tools.

Filter by type (ca-anchors, blocklist, certificates, trust-policy).

Output format (x509-file, x509-directory, pem-file, pem-bundle, java-cacerts, openssl-bundle, openssl-directory, etc.).

Filter by purpose (server-auth, client-auth, email, code-signing).

May require root privileges to modify the system trust store if no user-specific store is available. Changes may require applications to be restarted to take effect. The store format and location varies by distribution.

Part of p11-kit, developed as part of the FreeDesktop.org project to provide a standard way to manage trust anchors across Linux distributions. Replaces distribution-specific methods like update-ca-certificates.

update-ca-trust(8), update-ca-certificates(8), openssl(1), p11-kit(8)