LinuxCommandLibrary

update-ca-certificates

Update system's trusted certificate authority list

SYNOPSIS

update-ca-certificates [options]

PARAMETERS

--fresh
    Delete all files (except ca-certificates.crt) in /etc/ssl/certs and regenerate symlinks from scratch.

-h, --help
    Display usage summary and exit.

--version
    Output version information and exit.

DESCRIPTION

The update-ca-certificates command is a utility primarily used on Debian-based Linux distributions to manage and update the system's bundle of trusted Certificate Authority (CA) certificates. It scans directories /usr/share/ca-certificates and /usr/local/share/ca-certificates for .crt files, checks which ones are enabled in the configuration file /etc/ca-certificates.conf, and maintains symbolic links in /etc/ssl/certs/. It also generates the concatenated certificate bundle /etc/ssl/certs/ca-certificates.crt, which is used by applications like wget, curl, and OpenSSL for SSL/TLS verification.

This command ensures the system stays current with trusted root certificates, removing obsolete ones and adding new ones as configured. It is typically run as root after installing or updating the ca-certificates package, or when adding custom certificates by placing them in /usr/local/share/ca-certificates/ and editing the conf file. The process helps prevent man-in-the-middle attacks by maintaining an up-to-date trust store.

Invocation is straightforward, and it integrates with package managers like apt, which call it automatically during certificate updates.

CAVEATS

Must be run as root (uses sudo). Modifies system-wide files; backup /etc/ca-certificates.conf before custom changes. Not suitable for containerized environments without adjustments.

CONFIGURATION

Edit /etc/ca-certificates.conf to enable/disable certs (lines starting with '!' disable). Format: local/cacert.crt or similar.

ADDING CUSTOM CERTS

Copy .crt to /usr/local/share/ca-certificates/, append entry to conf, then run command.

HISTORY

Part of Debian's ca-certificates package since 2003 (version 20030301). Evolved to support Mozilla's NSS certificate store synchronization via mozilla-certifix script in later versions. Maintained by Debian SSL maintainer team.

SEE ALSO

ca-certificates(8), c_rehash(1), openssl(1)

Copied to clipboard