Provided by: ca-certificates_20240203_all bug

NAME
       update-ca-certificates - update /etc/ssl/certs and ca-certificates.crt


SYNOPSIS
       update-ca-certificates [options]


DESCRIPTION
       This manual page documents briefly the update-ca-certificates command.

       update-ca-certificates is a program that manages the collection of TLS certificates for the local machine
       and generates ca-certificates.crt.  ca-certificates.crt is a single-file  of  concatenated  certificates.
       The collection of individual certificates is stored at /etc/ssl/certs.

       The  program  reads  the configuration file /etc/ca-certificates.conf. Each line gives a pathname of a CA
       certificate under /usr/share/ca-certificates that should be  trusted.  Lines  that  begin  with  "#"  are
       comment  lines  and  thus ignored.  Lines that begin with "!" are deselected, causing the deactivation of
       the CA certificate in question.

       Certificates must be in PEM format and have a .crt extension  in  order  to  be  included  by  update-ca-
       certificates.  Furthermore,  all  certificates  with  a  .crt  extension found below /usr/local/share/ca-
       certificates are also included and implicitly trusted.

       To add one or more certificates to the machine, copy the  certificates  in  PEM  format  with  the  *.crt
       extension to /usr/local/share/ca-certificates. There should be one certificate per file, and not multiple
       certificates in a single file. Then run update-ca-certificates to merge the  new  certificates  into  the
       existing machine store at /etc/ssl/certs.

       Before  terminating,  update-ca-certificates invokes run-parts on /etc/ca-certificates/update.d and calls
       each hook with a list of certificates: those added are prefixed with a +, those removed are prefixed with
       a -.


OPTIONS
       A summary of options is included below.

       -h, --help
              Show summary of options.

       -v, --verbose
              Be verbose. Output openssl rehash.

       -f, --fresh
              Fresh updates.  Remove symlinks in /etc/ssl/certs directory.

       --certsconf
              Change the configuration file. By default, the file /etc/ca-certificates.conf is used.

       --certsdir
              Change the certificate directory. By default, the directory /usr/share/ca-certificates is used.

       --localcertsdir
              Change the local certificate directory. By default, the directory /usr/local/share/ca-certificates
              is used.

       --etccertsdir
              Change the /etc certificate directory. By default, the directory /etc/ssl/certs is used.

       FILES

       /etc/ca-certificates.conf
              A configuration file.

       /etc/ssl/certs/ca-certificates.crt
              A single-file version of CA certificates. This holds all CA certificates that  were  activated  in
              /etc/ca-certificates.conf.

       /usr/share/ca-certificates
              Directory of CA certificates provided by the distribution.

       /usr/local/share/ca-certificates
              Directory of local CA certificates, with .crt extension, provided by the user.


SEE ALSO
       openssl(1)


AUTHOR
       This  manual  page  was written by Fumitoshi UKAI <ukai@debian.or.jp>, for the Debian project (but may be
       used by others).

                                                  20 April 2003                        UPDATE-CA-CERTIFICATES(8)