trust

List trust policy store items

$ trust list

$ trust list --filter=[blocklist|ca-anchors|certificates|trust-policy]

$ trust anchor [path/to/certificate.crt]

$ trust anchor --remove [path/to/certificate.crt]

$ trust extract --format=x509-directory --filter=ca-anchors [path/to/directory]

$ trust [subcommand] --help

trust [OPTIONS...] COMMAND [ARGUMENTS...]

Examples:
trust list --filter=server-auth
trust anchor --store my-ca.pem
trust anchor --remove my-old-ca.pem

--filter=TYPE
    Filters the output of the list command to show only certificates with a specific trust purpose, such as trust (trusted roots), blacklist, server-auth, or client-auth.

--quiet
    Suppresses informational messages and prints only errors, making the output less verbose.

--verbose
    Increases the verbosity of the output, providing more detailed information about the operations being performed.

--help
    Displays a summary of the command's usage and available options, then exits.

--version
    Prints the version information of the trust command and exits.

list
    Lists the trusted or blacklisted certificates, either all of them or filtered by purpose.

anchor
    Manages trust anchors. Used with --store to add a certificate file as a trusted anchor, or --remove to remove an existing one.

extract
    Extracts trusted certificates into a format suitable for use by applications.

dump
    Dumps all certificates and trust information from the system's trust store in a human-readable format.

extract-compat
    Extracts certificates for compatibility with older applications that expect certificates in traditional formats or locations.

extract-pkcs11
    Extracts information about available PKCS#11 modules registered with the system.

The trust command is a powerful utility within Linux systems designed to manage the system-wide trust policy for X.509 certificates and PKCS#11 modules. It is an integral part of the p11-kit framework, which aims to provide a unified and standardized way for applications to access cryptographic objects and trust anchors. System administrators primarily use this command to add, remove, or list trusted root certificates, effectively controlling which Certificate Authorities (CAs) and cryptographic devices the system and its applications will implicitly trust. This centralization simplifies the management of cryptographic trust, ensuring consistency across various software components that rely on the system's trust store. Unlike older, disparate methods, trust provides a modern, robust, and programmatic interface for maintaining a secure and up-to-date certificate trust environment.

Most operations that modify the system's trust policy (e.g., adding or removing trust anchors) require root privileges or the use of sudo.
The trust command manages system-wide trust. Changes affect all applications that rely on the standard system trust store, not just individual user configurations.
Modifications made by trust typically trigger an update of the system's CA certificates bundle (e.g., via update-ca-certificates), which may require applications or services to be restarted to pick up the changes.
This command is specific to the p11-kit framework and environments that utilize it for certificate trust management.

The trust command primarily interacts with the system's consolidated trust store, which typically sources certificates from locations like /etc/pki/ca-trust/source/anchors/ (for locally added anchors), /usr/share/pki/ca-trust-source/ (for distribution-provided anchors), and other designated directories. The processed and aggregated trust information is then made available to applications, often in formats like PEM bundles.

trust is a front-end utility for the p11-kit library and daemon. p11-kit itself provides a way for applications to discover and use PKCS#11 modules (like hardware security modules) and also manages a unified system-wide trust store. The trust command leverages this underlying framework to perform its operations, ensuring that certificate and module management is consistent and robust across the system.

The trust command is a relatively modern addition to Linux's cryptographic infrastructure, emerging as part of the p11-kit project. Prior to its introduction, managing system-wide certificate trust often involved manual placement of certificate files and custom scripts or less standardized utilities. The development of p11-kit and subsequently the trust command aimed to centralize and standardize the management of PKCS#11 modules and X.509 certificate trust anchors, providing a consistent API for applications and a robust command-line interface for administrators. This evolution has significantly improved the security posture and manageability of certificate-based authentication and encryption on Linux systems.

p11-kit(8), update-ca-certificates(8), pkcs11(7)