Adding private CAs to Red Hat’s pki

As long as private CAs are a necessity, some way of making them part of the standard CA bundle used by clients and servers is going to be required. Here’s the official procedure for Red Hat family operating systems like Red Hat Enterprise Linux, CentOS and Fedora.

Although the Let’s Encrypt initiative is a giant step forward towards making HTTPS Everywhere a reality, it isn’t a solution for most internal private networks. For those a private CA is still going to be required. Private CAs do have one major drawback: they’re not included in the standard CA bundle that ships with all operating systems.

The procedure to add a private CA to the ca-bundle on a Red Hat box is laid out in /usr/share/pki/ca-trust-source/README. It consists of two basic steps:

1. Copy the public key for the private CA to /usr/share/pki/ca-trust-source/anchors.

2. Run the update-ca-trust command.

This will update the copies of the certificate bundle found under /etc/pki/ca-trust/extracted and the files that are soft-linked to them (e.g. /etc/pki/tls/certs/ca-bundle.crt).

Once these steps are completed be sure to recycle anything that depends on ca-bundle.crt, such as an HTTPS enabled Apache web server.


1. If you’re confused about the difference between adding additional certs to /usr/share/pki/ca-trust-source/anchors or /etc/pki/ca-trust/source/anchors, the READMEs found in both places explain it succinctly:

This directory /usr/share/pki/ca-trust-source/ contains CA certificates and trust settings in the PEM file format. The trust settings found here will be interpreted with a low priority – lower than the ones found in /etc/pki/ca-trust/source/ .

Basically it’s a matter of priority. Being a true conservative when it comes to making global system changes, my approach in this case is to make my changes under /usr/share/pki.

2. Given the rapidity of change in the security area, we’re fast approaching the point where Red Hat and other companies may fall behind in updating key components like ca-bundle.crt. As a result, admins should be prepared to update it themselves.

An up to date version of the ca-bundle.crt file can be downloaded from here (which is the home of the open source web tool curl).

To use the updated ca-bundle.crt on a Red Hat system, copy the downloaded file to /etc/pki/ca-trust/source/anchors and run update-ca-trust. Put it in that location to ensure it is given the highest priority by the system.

This entry was posted in System Administration on by .

About phil

My name is Phil Lembo. In my day job I’m an enterprise IT architect for a leading distribution and services company. The rest of my time I try to maintain a semi-normal family life in the suburbs of Raleigh, NC. E-mail me at philipATlembobrothersDOTcom. The opinions expressed here are entirely my own and not those of my employers, past, present or future (except where I quote others, who will need to accept responsibility for their own rants).