Skip to Content

Check Root CA Certificates in Linux

Root certificate is the first link in the chain of trust, . Unlike other certificates, it is self-signed, meaning the issuer and subject are the same. It is a kind of X.509 certificate that can be used to issue other certificates. Certificate authorities (CAs) adhere to strict requirements to merit the trust of having a root certificate.

Root certificates also typically have long periods of validity, compared to intermediate certificates. They will often last for 10 or 20 years, which gives enough time to prepare for when they expire.

Location for Root CA Certs in Linux

If we use Amazon Linux, Red Hat Enterprise Linux, or a related distribution, we can find root ca certs here.

  • /etc/ssl/certs/ca-bundle.crt
  • /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem

If we use Ubuntu or a related distribution, we can get root CA certs here.

  • /etc/ssl/certs/ca-certificates.crt

If we use macOS, we can generate the certificate from our system keychain. To generate the certificate, type the following command at the command line:

  • sudo security find-certificate -a -p /System/Library/Keychains/SystemRootCertificates.keychain > /etc/ssl/certs/ca-bundle.crt

How to install Root CA Certs in Linux

To manage and install certificates in Redhat, we’ll need to install the ca-certificates package and enable the dynamic CA configuration feature by issuing the command update-ca-trust force enable.

To install our own root certificate in Red Hat or CentOS, copy or move the relevant root certificate into the following directory: /etc/pki/ca-trust/source/anchors/.

After we have copied the certificate to the correct directory we will need to refresh the installed certificates and hashes. we can perform this with the following command: update-ca-trust extract.


List All Root CA certs in Linux

We have a quick way to list all of the certificate subjects in the bundle is with the following awk and openssl commands:

$ awk -v cmd=’openssl x509 -noout -subject’ ‘/BEGIN/{close(cmd)};{print | cmd}’ < /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem