Provided by: ca-certificates_20240203_all bug

NAME
       update-ca-certificates - update /etc/ssl/certs and ca-certificates.crt


SYNOPSIS
       update-ca-certificates [options]


DESCRIPTION
       This manual page documents briefly the update-ca-certificates command.

       update-ca-certificates  is  a  program that manages the collection of TLS certificates for
       the local machine and generates ca-certificates.crt.  ca-certificates.crt is a single-file
       of  concatenated  certificates.   The  collection  of individual certificates is stored at
       /etc/ssl/certs.

       The program reads the configuration file  /etc/ca-certificates.conf.  Each  line  gives  a
       pathname  of  a  CA  certificate  under /usr/share/ca-certificates that should be trusted.
       Lines that begin with "#" are comment lines and thus ignored.  Lines that begin  with  "!"
       are deselected, causing the deactivation of the CA certificate in question.

       Certificates  must  be  in PEM format and have a .crt extension in order to be included by
       update-ca-certificates. Furthermore, all certificates with a .crt  extension  found  below
       /usr/local/share/ca-certificates are also included and implicitly trusted.

       To  add  one or more certificates to the machine, copy the certificates in PEM format with
       the *.crt extension to /usr/local/share/ca-certificates. There should be  one  certificate
       per  file, and not multiple certificates in a single file. Then run update-ca-certificates
       to merge the new certificates into the existing machine store at /etc/ssl/certs.

       Before    terminating,    update-ca-certificates    invokes    run-parts    on    /etc/ca-
       certificates/update.d  and  calls  each  hook with a list of certificates: those added are
       prefixed with a +, those removed are prefixed with a -.


OPTIONS
       A summary of options is included below.

       -h, --help
              Show summary of options.

       -v, --verbose
              Be verbose. Output openssl rehash.

       -f, --fresh
              Fresh updates.  Remove symlinks in /etc/ssl/certs directory.

       --certsconf
              Change the configuration file. By default, the  file  /etc/ca-certificates.conf  is
              used.

       --certsdir
              Change   the  certificate  directory.  By  default,  the  directory  /usr/share/ca-
              certificates is used.

       --localcertsdir
              Change   the   local   certificate   directory.   By   default,    the    directory
              /usr/local/share/ca-certificates is used.

       --etccertsdir
              Change  the /etc certificate directory. By default, the directory /etc/ssl/certs is
              used.

       FILES

       /etc/ca-certificates.conf
              A configuration file.

       /etc/ssl/certs/ca-certificates.crt
              A single-file version of CA certificates. This holds all CA certificates that  were
              activated in /etc/ca-certificates.conf.

       /usr/share/ca-certificates
              Directory of CA certificates provided by the distribution.

       /usr/local/share/ca-certificates
              Directory of local CA certificates, with .crt extension, provided by the user.


SEE ALSO
       openssl(1)


AUTHOR
       This manual page was written by Fumitoshi UKAI <ukai@debian.or.jp>, for the Debian project
       (but may be used by others).

                                          20 April 2003                 UPDATE-CA-CERTIFICATES(8)