.\" Hey, EMACS: -*- nroff -*- .\" First parameter, NAME, should be all caps .\" Second parameter, SECTION, should be 1-8, maybe w/ subsection .\" other parameters are allowed: see man(7), man(1) .TH UPDATE-CA-CERTIFICATES 8 "20 April 2003" .\" Please adjust this date whenever revising the manpage. .\" .\" Some roff macros, for reference: .\" .nh disable hyphenation .\" .hy enable hyphenation .\" .ad l left justify .\" .ad b justify to both left and right margins .\" .nf disable filling .\" .fi enable filling .\" .br insert line break .\" .sp insert n+1 empty lines .\" for manpage-specific macros, see man(7) .SH NAME update-ca-certificates \- update /etc/ssl/certs and ca-certificates.crt .SH SYNOPSIS .B update-ca-certificates .RI [ options ] .SH DESCRIPTION This manual page documents briefly the .B update-ca-certificates command. .PP \fBupdate-ca-certificates\fP is a program that manages the collection of TLS certificates for the local machine and generates ca-certificates.crt. ca-certificates.crt is a single-file of concatenated certificates. The collection of individual certificates is stored at /etc/ssl/certs. .PP The program reads the configuration file /etc/ca-certificates.conf. Each line gives a pathname of a CA certificate under /usr/share/ca-certificates that should be trusted. Lines that begin with "#" are comment lines and thus ignored. Lines that begin with "!" are deselected, causing the deactivation of the CA certificate in question. .PP Certificates must be in PEM format and have a .crt extension in order to be included by update-ca-certificates. Furthermore, all certificates with a .crt extension found below /usr/local/share/ca-certificates are also included and implicitly trusted. .PP To add one or more certificates to the machine, copy the certificates in PEM format with the *.crt extension to /usr/local/share/ca-certificates. There should be one certificate per file, and not multiple certificates in a single file. Then run update-ca-certificates to merge the new certificates into the existing machine store at /etc/ssl/certs. .PP Before terminating, \fBupdate-ca-certificates\fP invokes \fBrun-parts\fP on /etc/ca-certificates/update.d and calls each hook with a list of certificates: those added are prefixed with a +, those removed are prefixed with a -. .SH OPTIONS A summary of options is included below. .TP .B \-h, \-\-help Show summary of options. .TP .B \-v, \-\-verbose Be verbose. Output \fBopenssl rehash\fP. .TP .B \-f, \-\-fresh Fresh updates. Remove symlinks in /etc/ssl/certs directory. .TP .B \-\-certsconf Change the configuration file. By default, the file /etc/ca-certificates.conf is used. .TP .B \-\-certsdir Change the certificate directory. By default, the directory /usr/share/ca-certificates is used. .TP .B \-\-localcertsdir Change the local certificate directory. By default, the directory /usr/local/share/ca-certificates is used. .TP .B \-\-etccertsdir Change the /etc certificate directory. By default, the directory /etc/ssl/certs is used. .TP .SH FILES .TP .I /etc/ca-certificates.conf A configuration file. .TP .I /etc/ssl/certs/ca-certificates.crt A single-file version of CA certificates. This holds all CA certificates that were activated in /etc/ca-certificates.conf. .TP .I /usr/share/ca-certificates Directory of CA certificates provided by the distribution. .TP .I /usr/local/share/ca-certificates Directory of local CA certificates, with .crt extension, provided by the user. .SH SEE ALSO .BR openssl (1) .SH AUTHOR This manual page was written by Fumitoshi UKAI , for the Debian project (but may be used by others).