Tuning your PKIX Trust-store


BEFORE you get rid of the ancien trust-store, keep using it to grab the new one through HTTPS

grab the latest certificate bundle and check it fingerpring

cd /etc/ssl/
wget https://curl.se/ca/cacert.pem
wget https://curl.se/ca/cacert.pem.sha256
# --no-check-certificate

sha256sum cacert.pem
#shasum -a 256 cacert.pem
cat cacert.pem.sha256

# Apr 2021
e010c0c071a2c79a76aa3c289dc7e4ac4ed38492bfda06d766a80b707ebd2f29  cacert.pem

THEN get rid of the ancien trust-store

# Ubuntu
#dpkg-reconfigure ca-certificates
apt purge ca-certificates

# Slackware
#ls -lF /var/lib/pkgtools/packages/ca-certificates-*
removepkg ca-certificates

cd /etc/ssl/
rm -rf certs/
rm -rf private/

diff -bu /usr/lib/ssl/openssl.cnf /etc/ssl/openssl.cnf
diff -bu /etc/ssl/openssl.cnf.dist /etc/ssl/openssl.cnf

Client tuning

tune some clients accordingly

mv -i /etc/wgetrc /etc/wgetrc.dist
grep -vE '^[[:space:]]*(;|#|$)' /etc/wgetrc.dist > /etc/wgetrc
vi /etc/wgetrc

ca_certificate = /etc/ssl/cacert.pem

there is no system-wide config for Curl

vi ~/.curlrc

cacert /etc/ssl/cacert.pem


to check remote certificates, some application or daemon need hashed symlinks to single PEM file certificates (not bundled)

assuming the daemon is not in a chroot

$OPENSSL_HOME/bin/c_rehash /etc/ssl/certs

now for GIT

vi ~/.gitconfig

    sslCAinfo = /etc/ssl/cacert.pem

and enable your own customized new defaults for some other clients

mkdir certs/
cd certs/
ln -s ../cacert.pem ca-certificates.crt