xref: /freebsd/usr.sbin/certctl/certctl.8 (revision def6ee77dbc2ab7d4314002f01367e84e69b0a23) 
1ccdcb388SKyle Evans.\"
24d846d26SWarner Losh.\" SPDX-License-Identifier: BSD-2-Clause
3ccdcb388SKyle Evans.\"
4ccdcb388SKyle Evans.\" Copyright 2018 Allan Jude <allanjude@freebsd.org>
5ccdcb388SKyle Evans.\"
6ccdcb388SKyle Evans.\" Redistribution and use in source and binary forms, with or without
7ccdcb388SKyle Evans.\" modification, are permitted providing that the following conditions
8ccdcb388SKyle Evans.\" are met:
9ccdcb388SKyle Evans.\" 1. Redistributions of source code must retain the above copyright
10ccdcb388SKyle Evans.\"    notice, this list of conditions and the following disclaimer.
11ccdcb388SKyle Evans.\" 2. Redistributions in binary form must reproduce the above copyright
12ccdcb388SKyle Evans.\"    notice, this list of conditions and the following disclaimer in the
13ccdcb388SKyle Evans.\"    documentation and/or other materials provided with the distribution.
14ccdcb388SKyle Evans.\"
15ccdcb388SKyle Evans.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
16ccdcb388SKyle Evans.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
17ccdcb388SKyle Evans.\" WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18ccdcb388SKyle Evans.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
19ccdcb388SKyle Evans.\" DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20ccdcb388SKyle Evans.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21ccdcb388SKyle Evans.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22ccdcb388SKyle Evans.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
23ccdcb388SKyle Evans.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
24ccdcb388SKyle Evans.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
25ccdcb388SKyle Evans.\" POSSIBILITY OF SUCH DAMAGE.
26ccdcb388SKyle Evans.\"
27*def6ee77SBrooks Davis.Dd October 10, 2023
28ccdcb388SKyle Evans.Dt CERTCTL 8
29ccdcb388SKyle Evans.Os
30ccdcb388SKyle Evans.Sh NAME
31ccdcb388SKyle Evans.Nm certctl
3264e6e1e4SCeri Davies.Nd "tool for managing trusted and untrusted TLS certificates"
33ccdcb388SKyle Evans.Sh SYNOPSIS
34ccdcb388SKyle Evans.Nm
35ccdcb388SKyle Evans.Op Fl v
36ccdcb388SKyle Evans.Ic list
37ccdcb388SKyle Evans.Nm
38ccdcb388SKyle Evans.Op Fl v
3964e6e1e4SCeri Davies.Ic untrusted
40ccdcb388SKyle Evans.Nm
4148e9fb85SBrooks Davis.Op Fl nUv
4248e9fb85SBrooks Davis.Op Fl D Ar destdir
4348e9fb85SBrooks Davis.Op Fl M Ar metalog
44ccdcb388SKyle Evans.Ic rehash
45ccdcb388SKyle Evans.Nm
46ccdcb388SKyle Evans.Op Fl nv
4764e6e1e4SCeri Davies.Ic untrust Ar file
48ccdcb388SKyle Evans.Nm
49ccdcb388SKyle Evans.Op Fl nv
5064e6e1e4SCeri Davies.Ic trust Ar file
51ccdcb388SKyle Evans.Sh DESCRIPTION
52ccdcb388SKyle EvansThe
53ccdcb388SKyle Evans.Nm
54ccdcb388SKyle Evansutility manages the list of TLS Certificate Authorities that are trusted by
55ccdcb388SKyle Evansapplications that use OpenSSL.
56ccdcb388SKyle Evans.Pp
57ccdcb388SKyle EvansFlags:
58ccdcb388SKyle Evans.Bl -tag -width 4n
5948e9fb85SBrooks Davis.It Fl D Ar destdir
6048e9fb85SBrooks DavisSpecify the DESTDIR (overriding values from the environment).
61232cf6beSJessica Clarke.It Fl d Ar distbase
62232cf6beSJessica ClarkeSpecify the DISTBASE (overriding values from the environment).
6348e9fb85SBrooks Davis.It Fl M Ar metalog
6448e9fb85SBrooks DavisSpecify the path of the METALOG file (default: $DESTDIR/METALOG).
65ccdcb388SKyle Evans.It Fl n
66ccdcb388SKyle EvansNo-Op mode, do not actually perform any actions.
67ccdcb388SKyle Evans.It Fl v
680199cbf6SMateusz PiotrowskiBe verbose, print details about actions before performing them.
6948e9fb85SBrooks Davis.It Fl U
7048e9fb85SBrooks DavisUnprivileged mode, do not change the ownership of created links.
7148e9fb85SBrooks DavisDo record the ownership in the METALOG file.
72ccdcb388SKyle Evans.El
73ccdcb388SKyle Evans.Pp
74ccdcb388SKyle EvansPrimary command functions:
7564e6e1e4SCeri Davies.Bl -tag -width untrusted
76ccdcb388SKyle Evans.It Ic list
77ccdcb388SKyle EvansList all currently trusted certificate authorities.
7864e6e1e4SCeri Davies.It Ic untrusted
7964e6e1e4SCeri DaviesList all currently untrusted certificates.
80ccdcb388SKyle Evans.It Ic rehash
81ccdcb388SKyle EvansRebuild the list of trusted certificate authorities by scanning all directories
82ccdcb388SKyle Evansin
83ccdcb388SKyle Evans.Ev TRUSTPATH
8464e6e1e4SCeri Daviesand all untrusted certificates in
8564e6e1e4SCeri Davies.Ev UNTRUSTPATH .
86ccdcb388SKyle EvansA symbolic link to each trusted certificate is placed in
87ccdcb388SKyle Evans.Ev CERTDESTDIR
8864e6e1e4SCeri Daviesand each untrusted certificate in
8964e6e1e4SCeri Davies.Ev UNTRUSTDESTDIR .
9064e6e1e4SCeri Davies.It Ic untrust
9164e6e1e4SCeri DaviesAdd the specified file to the untrusted list.
9264e6e1e4SCeri Davies.It Ic trust
9364e6e1e4SCeri DaviesRemove the specified file from the untrusted list.
94ccdcb388SKyle Evans.El
95ccdcb388SKyle Evans.Sh ENVIRONMENT
9664e6e1e4SCeri Davies.Bl -tag -width UNTRUSTDESTDIR
97ccdcb388SKyle Evans.It Ev DESTDIR
98ccdcb388SKyle EvansAlternate destination directory to operate on.
99232cf6beSJessica Clarke.It Ev DISTBASE
100232cf6beSJessica ClarkeAdditional path component to include when operating on certificate directories.
101*def6ee77SBrooks Davis.It Ev LOCALBASE
102*def6ee77SBrooks DavisLocation for local programs.
103*def6ee77SBrooks DavisDefaults to the value of the user.localbase sysctl which is usually
104*def6ee77SBrooks Davis.Pa /usr/local .
105ccdcb388SKyle Evans.It Ev TRUSTPATH
106ccdcb388SKyle EvansList of paths to search for trusted certificates.
107ccdcb388SKyle EvansDefault:
108232cf6beSJessica Clarke.Pa <DESTDIR><DISTBASE>/usr/share/certs/trusted
109232cf6beSJessica Clarke.Pa <DESTDIR><DISTBASE>/usr/local/share/certs
110*def6ee77SBrooks Davis.Pa <DESTDIR><DISTBASE><LOCALBASE>/etc/ssl/certs
11164e6e1e4SCeri Davies.It Ev UNTRUSTPATH
11264e6e1e4SCeri DaviesList of paths to search for untrusted certificates.
113ccdcb388SKyle EvansDefault:
114232cf6beSJessica Clarke.Pa <DESTDIR><DISTBASE>/usr/share/certs/untrusted
115*def6ee77SBrooks Davis.Pa <DESTDIR><DISTBASE><LOCALBASE>/etc/ssl/untrusted
116*def6ee77SBrooks Davis.Pa <DESTDIR><DISTBASE><LOCALBASE>/etc/ssl/blacklisted
117ccdcb388SKyle Evans.It Ev CERTDESTDIR
118ccdcb388SKyle EvansDestination directory for symbolic links to trusted certificates.
119ccdcb388SKyle EvansDefault:
120232cf6beSJessica Clarke.Pa <DESTDIR><DISTBASE>/etc/ssl/certs
12164e6e1e4SCeri Davies.It Ev UNTRUSTDESTDIR
12264e6e1e4SCeri DaviesDestination directory for symbolic links to untrusted certificates.
123ccdcb388SKyle EvansDefault:
124232cf6beSJessica Clarke.Pa <DESTDIR><DISTBASE>/etc/ssl/untrusted
125ccdcb388SKyle Evans.It Ev EXTENSIONS
126ccdcb388SKyle EvansList of file extensions to read as certificate files.
127ccdcb388SKyle EvansDefault: *.pem *.crt *.cer *.crl *.0
128ccdcb388SKyle Evans.El
129ccdcb388SKyle Evans.Sh SEE ALSO
130ccdcb388SKyle Evans.Xr openssl 1
131ccdcb388SKyle Evans.Sh HISTORY
132ccdcb388SKyle Evans.Nm
133ccdcb388SKyle Evansfirst appeared in
134b0763b5dSMark Johnston.Fx 12.2
135ccdcb388SKyle Evans.Sh AUTHORS
136ccdcb388SKyle Evans.An Allan Jude Aq Mt allanjude@freebsd.org
137