update-ca-trust

Update CA certificate trust store

$ sudo update-ca-trust extract

$ sudo update-ca-trust

$ update-ca-trust check

update-ca-trust [command]

update-ca-trust manages the system's CA certificate trust store on Red Hat-based distributions. It consolidates certificates from multiple sources into unified files that applications use for SSL/TLS verification.
Certificates placed in the anchors directory are added to the trust store. Certificates in the blacklist directory are explicitly distrusted. Both PEM and DER formats are supported.
After adding or removing certificates, run update-ca-trust extract to rebuild the consolidated trust files. Applications reading from /etc/pki/ca-trust/extracted/ will then use the updated certificates.

extract: Rebuild the consolidated CA certificate files.
check: Verify trust configuration consistency.

Add trusted certificates:

/etc/pki/ca-trust/source/anchors/

/etc/pki/ca-trust/source/blacklist/

/etc/pki/ca-trust/extracted/

Changes require running extract to take effect. Some applications cache certificates and need restart. Debian-based systems use update-ca-certificates instead. Incorrect certificates can break SSL connections.

update-ca-trust is part of the ca-certificates package on Red Hat Enterprise Linux, Fedora, and CentOS. It replaced older certificate management methods to provide a unified approach to trust configuration that works with both OpenSSL and NSS libraries.

update-ca-certificates(8), openssl(1), trust(1), p11-kit(8)