clearlinux/clear-linux-documentation
2
0
Fork 0
mirror of https://github.com/clearlinux/clear-linux-documentation.git synced 2026-05-13 18:33:40 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
latestHTML
clear-linux-documentation/reference/manpages/clrtrust.1.html
alexjch 90b41ced3a latest html output
2024-11-04 18:56:31 +00:00

297 lines
22 KiB
HTML
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
<!DOCTYPE html>
<html lang="en" data-content_root="../../">
<head>
<meta charset="utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" />
<title>clrtrust &#8212; Documentation for Clear Linux* project</title>
<link rel="stylesheet" type="text/css" href="../../_static/pygments.css?v=fa44fd50" />
<link rel="stylesheet" type="text/css" href="../../_static/bizstyle.css?v=5283bb3d" />
<link rel="stylesheet" type="text/css" href="../../_static/copybutton.css?v=76b2166b" />
<script src="../../_static/documentation_options.js?v=5929fcd5"></script>
<script src="../../_static/doctools.js?v=9bcbadda"></script>
<script src="../../_static/sphinx_highlight.js?v=dc90522c"></script>
<script src="../../_static/clipboard.min.js?v=a7894cd8"></script>
<script src="../../_static/copybutton.js?v=a56c686a"></script>
<script src="../../_static/bizstyle.js"></script>
<link rel="canonical" href="https://clearlinux.github.io/clear-linux-documentation/reference/manpages/clrtrust.1.html" />
<link rel="icon" href="../../_static/favicon.ico"/>
<link rel="author" title="About these documents" href="../../about.html" />
<link rel="index" title="Index" href="../../genindex.html" />
<link rel="search" title="Search" href="../../search.html" />
<link rel="next" title="ucd" href="ucd.1.html" />
<link rel="prev" title="clr_power" href="clr_power.1.html" />
<meta name="viewport" content="width=device-width,initial-scale=1.0" />
<!--[if lt IE 9]>
<script src="_static/css3-mediaqueries.js"></script>
<![endif]-->
</head><body>
<div class="related" role="navigation" aria-label="Related">
<h3>Navigation</h3>
<ul>
<li class="right" style="margin-right: 10px">
<a href="../../genindex.html" title="General Index"
accesskey="I">index</a></li>
<li class="right" >
<a href="ucd.1.html" title="ucd"
accesskey="N">next</a> |</li>
<li class="right" >
<a href="clr_power.1.html" title="clr_power"
accesskey="P">previous</a> |</li>
<li class="nav-item nav-item-0"><a href="../../index.html">Documentation for Clear Linux* project</a> &#187;</li>
<li class="nav-item nav-item-1"><a href="../index.html" >Reference</a> &#187;</li>
<li class="nav-item nav-item-2"><a href="../man-pages.html" accesskey="U">Man pages</a> &#187;</li>
<li class="nav-item nav-item-this"><a href="">clrtrust</a></li>
</ul>
</div>
<div class="document">
<div class="documentwrapper">
<div class="bodywrapper">
<div class="body" role="main">
<section id="clrtrust">
<h1>clrtrust<a class="headerlink" href="#clrtrust" title="Link to this heading"></a></h1>
<dl class="field-list simple">
<dt class="field-odd">Manual section<span class="colon">:</span></dt>
<dd class="field-odd"><p>1</p>
</dd>
</dl>
<section id="synopsis">
<h2>SYNOPSIS<a class="headerlink" href="#synopsis" title="Link to this heading"></a></h2>
<p><strong>clrtrust</strong> is a tool for generating and managing a centralized trusted
certificate store.</p>
<p><code class="docutils literal notranslate"><span class="pre">clrtrust</span> <span class="pre">[-v|--verbose]</span> <span class="pre">[-h|--help]</span> <span class="pre">[-c|--internal-rehash]</span> <span class="pre">&lt;command&gt;</span> <span class="pre">[options]</span></code></p>
</section>
<section id="description">
<h2>DESCRIPTION<a class="headerlink" href="#description" title="Link to this heading"></a></h2>
<p>A trust store contains a set of X.509 certificates which the operating
system and applications should consider trustworthy.</p>
<p>The <code class="docutils literal notranslate"><span class="pre">clrtrust</span></code> tool provides a frontend for centralized trust store
management. It allows for adding (trusting) and removing (distrusting)
certificate authorities (CAs). It also provides maintenance commands for
viewing and re-generating the trust store.</p>
<p>Certificates can be provided by the operating system for out-of-box
functionality. Certificates can also be provided and modified by
privileged users.</p>
<p>It is up to each application to make use of the trust store generated by
<code class="docutils literal notranslate"><span class="pre">clrtrust</span></code>.</p>
</section>
<section id="options">
<h2>OPTIONS<a class="headerlink" href="#options" title="Link to this heading"></a></h2>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">Usage</span><span class="p">:</span> <span class="n">clrtrust</span> <span class="p">[</span><span class="o">-</span><span class="n">v</span><span class="o">|--</span><span class="n">verbose</span><span class="p">]</span> <span class="p">[</span><span class="o">-</span><span class="n">h</span><span class="o">|--</span><span class="n">help</span><span class="p">]</span> <span class="p">[</span><span class="o">-</span><span class="n">c</span><span class="o">|--</span><span class="n">internal</span><span class="o">-</span><span class="n">rehash</span><span class="p">]</span> <span class="o">&lt;</span><span class="n">command</span><span class="o">&gt;</span> <span class="p">[</span><span class="n">options</span><span class="p">]</span>
<span class="o">-</span><span class="n">v</span> <span class="o">|</span> <span class="o">--</span><span class="n">verbose</span> <span class="n">Shows</span> <span class="n">more</span> <span class="n">details</span> <span class="n">about</span> <span class="n">execution</span>
<span class="o">-</span><span class="n">c</span> <span class="o">|</span> <span class="o">--</span><span class="n">internal</span><span class="o">-</span><span class="n">rehash</span> <span class="n">Forces</span> <span class="n">use</span> <span class="n">of</span> <span class="n">internal</span> <span class="n">implementation</span> <span class="n">of</span> <span class="n">c_rehash</span>
<span class="o">-</span><span class="n">h</span> <span class="o">|</span> <span class="o">--</span><span class="n">help</span> <span class="n">Prints</span> <span class="n">this</span> <span class="n">message</span>
<span class="n">Commands</span>
<span class="n">generate</span> <span class="n">generates</span> <span class="n">the</span> <span class="n">trust</span> <span class="n">store</span>
<span class="nb">list</span> <span class="nb">list</span> <span class="n">CAs</span>
<span class="n">add</span> <span class="n">add</span> <span class="n">trust</span> <span class="n">to</span> <span class="n">a</span> <span class="n">CA</span>
<span class="n">remove</span> <span class="n">remove</span> <span class="n">trust</span> <span class="n">to</span> <span class="n">a</span> <span class="n">CA</span>
<span class="n">restore</span> <span class="n">restore</span> <span class="n">trust</span> <span class="n">to</span> <span class="n">previously</span> <span class="n">removed</span> <span class="n">CA</span>
<span class="n">check</span> <span class="n">sanity</span><span class="o">/</span><span class="n">consistency</span> <span class="n">check</span> <span class="n">of</span> <span class="n">the</span> <span class="n">trust</span> <span class="n">store</span>
<span class="n">clrtrust</span> <span class="o">&lt;</span><span class="n">command</span><span class="o">&gt;</span> <span class="o">--</span><span class="n">help</span> <span class="n">to</span> <span class="n">get</span> <span class="n">help</span> <span class="n">on</span> <span class="n">specific</span> <span class="n">command</span><span class="o">.</span>
</pre></div>
</div>
<p><strong>Commands that modify the trust store require root privileges.</strong></p>
<ul>
<li><p><code class="docutils literal notranslate"><span class="pre">clrtrust</span> <span class="pre">generate</span> <span class="pre">[-f|--force]</span></code></p>
<p>The <code class="docutils literal notranslate"><span class="pre">generate</span></code> command has no arguments and generates a unified
trust store composed of system-provided and user-provided
certificates, if any. The optional <code class="docutils literal notranslate"><span class="pre">--force</span></code> parameter will
forcibly generate the trust store, even if it results in an empty
store. See the FILES section for paths used for trust store
generation.</p>
</li>
<li><p><code class="docutils literal notranslate"><span class="pre">clrtrust</span> <span class="pre">list</span></code></p>
<p>The <code class="docutils literal notranslate"><span class="pre">list</span></code> command has no arguments and outputs a list of trusted
certificates with the following fields:</p>
<p><code class="docutils literal notranslate"><span class="pre">id</span></code> uniquely identifies the certificate. It can be used as input
to other <code class="docutils literal notranslate"><span class="pre">clrtrust</span></code> commands such as <code class="docutils literal notranslate"><span class="pre">remove</span></code> or <code class="docutils literal notranslate"><span class="pre">restore</span></code>.</p>
<p><code class="docutils literal notranslate"><span class="pre">File</span></code> contains the file path of the certificate in the trust
store.</p>
<p><code class="docutils literal notranslate"><span class="pre">Authority</span></code> shows the name of the organization that issued the
certificate. This field is extracted from the certificate file.</p>
<p><code class="docutils literal notranslate"><span class="pre">Expires</span></code> shows the expiration date of the certificate. This field
is extracted from the certificate file.</p>
</li>
<li><p><code class="docutils literal notranslate"><span class="pre">clrtust</span> <span class="pre">add</span> <span class="pre">[&lt;certificateFile&gt;</span> <span class="pre">...]</span> <span class="pre">[-f|--force]</span></code></p>
<p>The <code class="docutils literal notranslate"><span class="pre">add</span></code> command takes one or more certificates as required
argument(s). The certificate is identified by a file path. The
certificate file(s) must be PEM-encoded with only one certificate per
file. The optional <code class="docutils literal notranslate"><span class="pre">--force</span></code> parameter will forcibly add the
certificate to the trust store, even if it is not a root CA.</p>
<p>Adding a root CA to the trust store allows applications using the
trust store to trust the root CA certificate, trust certificate
chains issued by the authority, verify the authenticity of peers
certificate, and establish a connection.</p>
</li>
<li><p><code class="docutils literal notranslate"><span class="pre">clrtrust</span> <span class="pre">remove</span> <span class="pre">[&lt;certificateFile|id&gt;</span> <span class="pre">...]</span></code></p>
<p>The <code class="docutils literal notranslate"><span class="pre">remove</span></code> command takes one or more certificates as required
argument(s). The certificate is identified by a file path or <code class="docutils literal notranslate"><span class="pre">id</span></code>.
The argument can be an <code class="docutils literal notranslate"><span class="pre">id</span></code> of the certificate (see the <code class="docutils literal notranslate"><span class="pre">list</span></code>
command) or the file path of the certificate.</p>
<p>Removing a root CA from the trust store distrusts the certificate for
applications using the trust store. Certificate chains issued by the
authority will no longer be trusted, authenticity of the peers
certificate will no longer be verified, and a connection will not be
established.</p>
</li>
<li><p><code class="docutils literal notranslate"><span class="pre">clrtrust</span> <span class="pre">check</span></code></p>
<p>The <code class="docutils literal notranslate"><span class="pre">check</span></code> command has no arguments and validate the consistency
of a previously generated unified trust store.</p>
</li>
</ul>
</section>
<section id="examples">
<h2>EXAMPLES<a class="headerlink" href="#examples" title="Link to this heading"></a></h2>
<section id="view-the-list-of-trusted-cas">
<h3>View the list of trusted CAs<a class="headerlink" href="#view-the-list-of-trusted-cas" title="Link to this heading"></a></h3>
<p><code class="docutils literal notranslate"><span class="pre">clrtrust</span> <span class="pre">list</span></code></p>
<p>The command above outputs a list of trusted certificates in the format
below:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="nb">id</span><span class="p">:</span> <span class="n">FA</span><span class="p">:</span><span class="n">B7</span><span class="p">:</span><span class="n">EE</span><span class="p">:</span><span class="mi">36</span><span class="p">:</span><span class="mi">97</span><span class="p">:</span><span class="mi">26</span><span class="p">:</span><span class="mi">62</span><span class="p">:</span><span class="n">FB</span><span class="p">:</span><span class="mi">2</span><span class="n">D</span><span class="p">:</span><span class="n">B0</span><span class="p">:</span><span class="mi">2</span><span class="n">A</span><span class="p">:</span><span class="n">F6</span><span class="p">:</span><span class="n">BF</span><span class="p">:</span><span class="mi">03</span><span class="p">:</span><span class="n">FD</span><span class="p">:</span><span class="n">E8</span><span class="p">:</span><span class="mi">7</span><span class="n">C</span><span class="p">:</span><span class="mi">4</span><span class="n">B</span><span class="p">:</span><span class="mi">2</span><span class="n">F</span><span class="p">:</span><span class="mi">9</span><span class="n">B</span>
<span class="n">File</span><span class="p">:</span> <span class="o">/</span><span class="n">var</span><span class="o">/</span><span class="n">cache</span><span class="o">/</span><span class="n">ca</span><span class="o">-</span><span class="n">certs</span><span class="o">/</span><span class="n">anchors</span><span class="o">/</span><span class="n">certSIGN_ROOT_CA</span><span class="o">.</span><span class="n">crt</span>
<span class="n">Authority</span><span class="p">:</span> <span class="o">/</span><span class="n">C</span><span class="o">=</span><span class="n">RO</span><span class="o">/</span><span class="n">O</span><span class="o">=</span><span class="n">certSIGN</span><span class="o">/</span><span class="n">OU</span><span class="o">=</span><span class="n">certSIGN</span> <span class="n">ROOT</span> <span class="n">CA</span>
<span class="n">Expires</span><span class="p">:</span> <span class="n">Jul</span> <span class="mi">4</span> <span class="mi">17</span><span class="p">:</span><span class="mi">20</span><span class="p">:</span><span class="mi">04</span> <span class="mi">2031</span> <span class="n">GMT</span>
</pre></div>
</div>
<p>The certificate can be further inspected using the <code class="docutils literal notranslate"><span class="pre">openssl</span> <span class="pre">x509</span></code>
command. For example:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">openssl</span> <span class="n">x509</span> <span class="o">-</span><span class="ow">in</span> <span class="o">/</span><span class="n">var</span><span class="o">/</span><span class="n">cache</span><span class="o">/</span><span class="n">ca</span><span class="o">-</span><span class="n">certs</span><span class="o">/</span><span class="n">anchors</span><span class="o">/</span><span class="n">certSIGN_ROOT_CA</span><span class="o">.</span><span class="n">crt</span> <span class="o">-</span><span class="n">noout</span> <span class="o">-</span><span class="n">text</span>
</pre></div>
</div>
</section>
<section id="add-trust-a-root-ca">
<h3>Add (trust) a root CA<a class="headerlink" href="#add-trust-a-root-ca" title="Link to this heading"></a></h3>
<p><code class="docutils literal notranslate"><span class="pre">clrtrust</span> <span class="pre">add</span> <span class="pre">~/PrivateCA.pem</span></code></p>
<p>The command above will add a root CA certificate located in the
<code class="docutils literal notranslate"><span class="pre">~/PrivateCA.pem</span></code> file. If the certificate file is not in the PEM
format, use <code class="docutils literal notranslate"><span class="pre">openssl</span> <span class="pre">x509</span></code> command to convert to PEM first. For
example:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">openssl</span> <span class="n">x509</span> <span class="o">-</span><span class="ow">in</span> <span class="n">PrivateCA</span><span class="o">.</span><span class="n">cer</span> <span class="o">-</span><span class="n">inform</span> <span class="n">der</span> <span class="o">-</span><span class="n">out</span> <span class="n">PrivateCA</span><span class="o">.</span><span class="n">pem</span> <span class="o">-</span><span class="n">outform</span> <span class="n">pem</span>
</pre></div>
</div>
</section>
<section id="remove-distrust-a-root-ca">
<h3>Remove (distrust) a root CA<a class="headerlink" href="#remove-distrust-a-root-ca" title="Link to this heading"></a></h3>
<p><code class="docutils literal notranslate"><span class="pre">clrtrust</span> <span class="pre">remove</span> <span class="pre">~/PrivateCA.pem</span></code></p>
<p>The command above will remove a root CA certificate located in the
<code class="docutils literal notranslate"><span class="pre">~/PrivateCA.pem</span></code> file from the trust store and distrust it.</p>
</section>
</section>
<section id="files">
<h2>FILES<a class="headerlink" href="#files" title="Link to this heading"></a></h2>
<p><em>/var/cache/ca-certs</em></p>
<p>Generated directory of certificates and verification keys. Do not modify
contents outside of <code class="docutils literal notranslate"><span class="pre">clrtrust</span></code>.</p>
<p><em>/usr/share/ca-certs/</em></p>
<p>Operating-system provided certificates and keys. Do not modify contents
outside of <code class="docutils literal notranslate"><span class="pre">clrtrust</span></code>.</p>
<p><em>/etc/ca-certs/</em></p>
<p>Generated directory of user-supplied certificates and verification keys.
Do not modify contents outside of <code class="docutils literal notranslate"><span class="pre">clrtrust</span></code>.</p>
</section>
<section id="bugs">
<h2>BUGS<a class="headerlink" href="#bugs" title="Link to this heading"></a></h2>
<p>See GitHub Issues: <a class="reference external" href="https://github.com/clearlinux/clrtrust/issues">https://github.com/clearlinux/clrtrust/issues</a></p>
</section>
<section id="see-also">
<h2>SEE ALSO<a class="headerlink" href="#see-also" title="Link to this heading"></a></h2>
<p><strong>openssl(1)</strong></p>
</section>
</section>
<div class="clearer"></div>
</div>
</div>
</div>
<div class="sphinxsidebar" role="navigation" aria-label="Main">
<div class="sphinxsidebarwrapper">
<p class="logo"><a href="../../index.html">
<img class="logo" src="../../_static/clearlinux.png" alt="Logo of Clear Linux* Project Docs"/>
</a></p>
<div>
<h3><a href="../../index.html">Table of Contents</a></h3>
<ul>
<li><a class="reference internal" href="#">clrtrust</a><ul>
<li><a class="reference internal" href="#synopsis">SYNOPSIS</a></li>
<li><a class="reference internal" href="#description">DESCRIPTION</a></li>
<li><a class="reference internal" href="#options">OPTIONS</a></li>
<li><a class="reference internal" href="#examples">EXAMPLES</a><ul>
<li><a class="reference internal" href="#view-the-list-of-trusted-cas">View the list of trusted CAs</a></li>
<li><a class="reference internal" href="#add-trust-a-root-ca">Add (trust) a root CA</a></li>
<li><a class="reference internal" href="#remove-distrust-a-root-ca">Remove (distrust) a root CA</a></li>
</ul>
</li>
<li><a class="reference internal" href="#files">FILES</a></li>
<li><a class="reference internal" href="#bugs">BUGS</a></li>
<li><a class="reference internal" href="#see-also">SEE ALSO</a></li>
</ul>
</li>
</ul>
</div>
<div>
<h4>Previous topic</h4>
<p class="topless"><a href="clr_power.1.html"
title="previous chapter">clr_power</a></p>
</div>
<div>
<h4>Next topic</h4>
<p class="topless"><a href="ucd.1.html"
title="next chapter">ucd</a></p>
</div>
<div role="note" aria-label="source link">
<h3>This Page</h3>
<ul class="this-page-menu">
<li><a href="../../_sources/reference/manpages/clrtrust.1.rst.txt"
rel="nofollow">Show Source</a></li>
</ul>
</div>
<search id="searchbox" style="display: none" role="search">
<h3 id="searchlabel">Quick search</h3>
<div class="searchformwrapper">
<form class="search" action="../../search.html" method="get">
<input type="text" name="q" aria-labelledby="searchlabel" autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false"/>
<input type="submit" value="Go" />
</form>
</div>
</search>
<script>document.getElementById('searchbox').style.display = "block"</script>
</div>
</div>
<div class="clearer"></div>
</div>
<div class="related" role="navigation" aria-label="Related">
<h3>Navigation</h3>
<ul>
<li class="right" style="margin-right: 10px">
<a href="../../genindex.html" title="General Index"
>index</a></li>
<li class="right" >
<a href="ucd.1.html" title="ucd"
>next</a> |</li>
<li class="right" >
<a href="clr_power.1.html" title="clr_power"
>previous</a> |</li>
<li class="nav-item nav-item-0"><a href="../../index.html">Documentation for Clear Linux* project</a> &#187;</li>
<li class="nav-item nav-item-1"><a href="../index.html" >Reference</a> &#187;</li>
<li class="nav-item nav-item-2"><a href="../man-pages.html" >Man pages</a> &#187;</li>
<li class="nav-item nav-item-this"><a href="">clrtrust</a></li>
</ul>
</div>
<div class="footer" role="contentinfo">
&#169; Copyright 2022 Intel Corporation. All Rights Reserved..
Last updated on Nov 04, 2024.
Created using <a href="https://www.sphinx-doc.org/">Sphinx</a> 8.1.3.
</div>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink