diff --git a/_topic_map.yml b/_topic_map.yml index d0bf37c..5434caf 100644 --- a/_topic_map.yml +++ b/_topic_map.yml @@ -34,6 +34,8 @@ Topics: File: securing-the-system-by-keeping-it-up-to-date - Name: Adding or removing software repositories in Fedora File: adding-or-removing-software-repositories-in-fedora + - Name: Using Shared System Certificates + File: using-shared-system-certificates - Name: (FIX ME!) Third party repositories File: 3rd-party-repos - Name: (FIX ME!) Anaconda diff --git a/en-US/modules/concept_using-the-system-wide-trust-store.adoc b/en-US/modules/con_using-the-system-wide-trust-store.adoc similarity index 65% rename from en-US/modules/concept_using-the-system-wide-trust-store.adoc rename to en-US/modules/con_using-the-system-wide-trust-store.adoc index e796872..2c9dc01 100644 --- a/en-US/modules/concept_using-the-system-wide-trust-store.adoc +++ b/en-US/modules/con_using-the-system-wide-trust-store.adoc @@ -3,12 +3,16 @@ In Fedora, the consolidated system-wide trust store is located in the `/etc/pki/ca-trust/` and `/usr/share/pki/ca-trust-source/` directories. The trust settings in `/usr/share/pki/ca-trust-source/` are processed with lower priority than settings in `/etc/pki/ca-trust/`. -Certificate files are treated depending on the subdirectory they are installed to: +Certificate files are treated depending on the subdirectory they are installed to the following directories: -* `/usr/share/pki/ca-trust-source/anchors/` or `/etc/pki/ca-trust/source/anchors/` - for trust anchors. - -* `/usr/share/pki/ca-trust-source/blacklist/` or `/etc/pki/ca-trust/source/blacklist/` - for distrusted certificates. - -* `/usr/share/pki/ca-trust-source/` or `/etc/pki/ca-trust/source/` - for certificates in the extended BEGIN TRUSTED file format. +* for trust anchors +** `/usr/share/pki/ca-trust-source/anchors/` or +** `/etc/pki/ca-trust/source/anchors/` +* for distrusted certificates +** `/usr/share/pki/ca-trust-source/blacklist/` or +** `/etc/pki/ca-trust/source/blacklist/` +* for certificates in the extended BEGIN TRUSTED file format +** `/usr/share/pki/ca-trust-source/` or +** `/etc/pki/ca-trust/source/` NOTE: In a hierarchical cryptographic system, a trust anchor is an authoritative entity which is assumed to be trustworthy. For example, in X.509 architecture, a root certificate is a trust anchor from which a chain of trust is derived. The trust anchor must be put in the possession of the trusting party beforehand to make path validation possible. diff --git a/en-US/modules/proc_adding-new-certificates.adoc b/en-US/modules/proc_adding-new-certificates.adoc index 71848cb..097f245 100644 --- a/en-US/modules/proc_adding-new-certificates.adoc +++ b/en-US/modules/proc_adding-new-certificates.adoc @@ -1,15 +1,13 @@ -[[sec-Adding-New-Certificates]] +[id='proc_adding-new-certificates'] = Adding New Certificates -.Before you start - .Procedure To add a certificate in the simple PEM or DER file formats to the list of CAs trusted on the system, copy the certificate file to the `/usr/share/pki/ca-trust-source/anchors/` or `/etc/pki/ca-trust/source/anchors/` directory, for example: -[subs="macros"] +[subs="+quotes,macros"] ---- -# cp pass:quotes[_~/certificate-trust-examples/Cert-trust-test-ca.pem_] pass:quotes[_/usr/share/pki/ca-trust-source/anchors/_] +# cp _~/certificate-trust-examples/Cert-trust-test-ca.pem_ _/usr/share/pki/ca-trust-source/anchors/_ ---- To update the system-wide trust store configuration, use the [command]`update-ca-trust` command: @@ -20,9 +18,5 @@ To update the system-wide trust store configuration, use the [command]`update-ca [NOTE] ==== - While the Firefox browser is able to use an added certificate without executing [command]`update-ca-trust`, it is recommended to run [command]`update-ca-trust` after a CA change. Also note that browsers, such as Firefox, Epiphany, or Chromium, cache files, and you might need to clear the browser's cache or restart your browser to load the current system certificates configuration. - ==== - -.More information diff --git a/en-US/modules/proc_managing-trusted-system-certificates.adoc b/en-US/modules/proc_managing-trusted-system-certificates.adoc index 412d78c..4dfae5d 100644 --- a/en-US/modules/proc_managing-trusted-system-certificates.adoc +++ b/en-US/modules/proc_managing-trusted-system-certificates.adoc @@ -1,10 +1,6 @@ -[[sec-Managing-Trusted-System-Certificates]] +[id='proc_managing-trusted-system-certificates'] = Managing Trusted System Certificates -.Before you start - - - .Procedure To list, extract, add, remove, or change trust anchors, use the [command]`trust` command. To see the built-in help for this command, enter it without any arguments or with the [option]`--help` directive: diff --git a/en-US/using-shared-system-certificates.adoc b/en-US/using-shared-system-certificates.adoc index 1cdd634..b68e3a1 100644 --- a/en-US/using-shared-system-certificates.adoc +++ b/en-US/using-shared-system-certificates.adoc @@ -1,15 +1,14 @@ -:md: ./modules - [[using-shared-system-certificates]] = Using Shared System Certificates The Shared System Certificates storage enables NSS, GnuTLS, OpenSSL, and Java to share a default source for retrieving system certificate anchors and black list information. By default, the trust store contains the Mozilla CA list, including positive and negative trust. The system allows updating of the core Mozilla CA list or choosing another certificate list. -include::{md}/concept_using-the-system-wide-trust-store.adoc[leveloffset=+1] +include::modules/con_using-the-system-wide-trust-store.adoc[leveloffset=+1] -include::{md}/proc_adding-new-certificates.adoc[leveloffset=+1] +include::modules/proc_adding-new-certificates.adoc[leveloffset=+1] + +include::modules/proc_managing-trusted-system-certificates.adoc[leveloffset=+1] -include::{md}/proc_managing-trusted-system-certificates.adoc[leveloffset=+1] [[shared-system-certificates-additional-resources]] == Additional Resources @@ -17,5 +16,4 @@ include::{md}/proc_managing-trusted-system-certificates.adoc[leveloffset=+1] For more information, see the following man pages: * `update-ca-trust(8)` - * `trust(1)`