trust

List trust policy store items

$ trust list

$ trust list --filter=[blocklist|ca-anchors|certificates|trust-policy]

$ trust anchor [path/to/certificate.crt]

$ trust anchor --remove [path/to/certificate.crt]

$ trust extract --format=x509-directory --filter=ca-anchors [path/to/directory]

$ trust [subcommand] --help

trust command [options]

trust manages the shared system trust policy store, which contains trusted CA certificates, blocklisted certificates, and trust policies. It allows administrators to add, remove, and extract trust anchors used for TLS/SSL verification across the system.
Changes made with trust affect all applications that use the p11-kit trust module, providing a unified way to manage certificates rather than configuring each application individually.

list

List trust policy store items

Add a trust anchor to the store

Remove a trust anchor

Extract trust anchors in specified format

Filter by type (ca-anchors, blocklist, certificates, trust-policy)

Output format (x509-file, x509-directory, pem-file, etc.)

Filter by purpose (server-auth, client-auth, email, code-signing)

Requires root privileges to modify system trust store. Changes may require applications to be restarted to take effect. The store format and location varies by distribution.

Part of p11-kit, developed as part of the FreeDesktop.org project to provide a standard way to manage trust anchors across Linux distributions. Replaces distribution-specific methods like update-ca-certificates.

update-ca-trust(8), openssl(1), p11-kit(8)