This content originally appeared on DEV Community and was authored by ZHANG, HENGMING
certificate authority ( ca ) on fedora has managed by ca-bundle.trust.p11-kit in recent distributions , and their update method has changed to let old update methods outdated . therefore , i create this post to record my changes of ca management on feodra .
no third parties / companies / govts certificates
i deleted all of those certificated included in the recent mozillia ca bundle , including the nostalgic cnnic certificates etc . only the oss one ( let's encrypt ) remined . this change irrivertiably puts some websites inaccessible ( github , etc . ) while minimal websites are on the table .
start configuration
i configured two environments to use the config :
- application based environments ( those on /etc/pki/ca-trust/source , high priority and /usr/share/pki/ca-trust-source , low priority ) such as curl .
- browser based environments ( firefox , tor browser ) .
the above two environments use different ca settings to config and manage certificates ( tls , ssl , java , edk2 , etc . ) . in order to config all envs to use one setting , each environment has to be configured separately .
when started to config it , i had to be reminded , it was not enough to use the trust cli to config ( since it was unable to change read - only mozilla ca bundle ) and had to edit the original file while put # comment before each line . and it was still not done correctly . which was done alright was that i created a .bak file of the original file and moved the .bak file ( and the original one ) out of the dir above ( the one on /etc/pki/ca-trust/source directory ) , leaving only the commented or deleted lines of file in directory . then i executed sudo update-ca-trust , and all certs updated just in line .
chain of logs
changing of the ca root certs on system config will put other configs collapsed and should be changed inaccordingly . which include :
- protocols that use ca certs ( xmpp , websockets , etc . )
- applications that use tls , ssl , java , edk2 configs ( such as fedora mirrors , rpm repos ) .
- anything else .
the road to self - managed ca certs
the best choice of internet pki ( public key infrastructure ) is managing certs ( probably including root certs ) by one themselves . to be easily managing and configuring ca in internet trust chains , personal solutions , e . g . openxpki and enterprise solutions ( hyperledger fabric with pkcs # 11 interface ) could be considered .
This content originally appeared on DEV Community and was authored by ZHANG, HENGMING
ZHANG, HENGMING | Sciencx (2025-10-05T08:22:10+00:00) certificate authority ( ca ) config for fedora distro. Retrieved from https://www.scien.cx/2025/10/05/certificate-authority-ca-config-for-fedora-distro/
Please log in to upload a file.
There are no updates yet.
Click the Upload button above to add an update.