xref: /freebsd/usr.sbin/certctl/certctl.8 (revision 0199cbf641db5f28d258153014fa8a657ae98ea6) 
1ccdcb388SKyle Evans.\"
2ccdcb388SKyle Evans.\" SPDX-License-Identifier: BSD-2-Clause-FreeBSD
3ccdcb388SKyle Evans.\"
4ccdcb388SKyle Evans.\" Copyright 2018 Allan Jude <allanjude@freebsd.org>
5ccdcb388SKyle Evans.\"
6ccdcb388SKyle Evans.\" Redistribution and use in source and binary forms, with or without
7ccdcb388SKyle Evans.\" modification, are permitted providing that the following conditions
8ccdcb388SKyle Evans.\" are met:
9ccdcb388SKyle Evans.\" 1. Redistributions of source code must retain the above copyright
10ccdcb388SKyle Evans.\"    notice, this list of conditions and the following disclaimer.
11ccdcb388SKyle Evans.\" 2. Redistributions in binary form must reproduce the above copyright
12ccdcb388SKyle Evans.\"    notice, this list of conditions and the following disclaimer in the
13ccdcb388SKyle Evans.\"    documentation and/or other materials provided with the distribution.
14ccdcb388SKyle Evans.\"
15ccdcb388SKyle Evans.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
16ccdcb388SKyle Evans.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
17ccdcb388SKyle Evans.\" WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18ccdcb388SKyle Evans.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
19ccdcb388SKyle Evans.\" DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20ccdcb388SKyle Evans.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21ccdcb388SKyle Evans.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22ccdcb388SKyle Evans.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
23ccdcb388SKyle Evans.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
24ccdcb388SKyle Evans.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
25ccdcb388SKyle Evans.\" POSSIBILITY OF SUCH DAMAGE.
26ccdcb388SKyle Evans.\"
27ccdcb388SKyle Evans.\" $FreeBSD$
28ccdcb388SKyle Evans.\"
29*0199cbf6SMateusz Piotrowski.Dd January 7, 2021
30ccdcb388SKyle Evans.Dt CERTCTL 8
31ccdcb388SKyle Evans.Os
32ccdcb388SKyle Evans.Sh NAME
33ccdcb388SKyle Evans.Nm certctl
34ccdcb388SKyle Evans.Nd "tool for managing trusted and blacklist TLS certificates"
35ccdcb388SKyle Evans.Sh SYNOPSIS
36ccdcb388SKyle Evans.Nm
37ccdcb388SKyle Evans.Op Fl v
38ccdcb388SKyle Evans.Ic list
39ccdcb388SKyle Evans.Nm
40ccdcb388SKyle Evans.Op Fl v
41ccdcb388SKyle Evans.Ic blacklisted
42ccdcb388SKyle Evans.Nm
4348e9fb85SBrooks Davis.Op Fl nUv
4448e9fb85SBrooks Davis.Op Fl D Ar destdir
4548e9fb85SBrooks Davis.Op Fl M Ar metalog
46ccdcb388SKyle Evans.Ic rehash
47ccdcb388SKyle Evans.Nm
48ccdcb388SKyle Evans.Op Fl nv
49ccdcb388SKyle Evans.Ic blacklist Ar file
50ccdcb388SKyle Evans.Nm
51ccdcb388SKyle Evans.Op Fl nv
52ccdcb388SKyle Evans.Ic unblacklist Ar file
53ccdcb388SKyle Evans.Sh DESCRIPTION
54ccdcb388SKyle EvansThe
55ccdcb388SKyle Evans.Nm
56ccdcb388SKyle Evansutility manages the list of TLS Certificate Authorities that are trusted by
57ccdcb388SKyle Evansapplications that use OpenSSL.
58ccdcb388SKyle Evans.Pp
59ccdcb388SKyle EvansFlags:
60ccdcb388SKyle Evans.Bl -tag -width 4n
6148e9fb85SBrooks Davis.It Fl D Ar destdir
6248e9fb85SBrooks DavisSpecify the DESTDIR (overriding values from the environment).
6348e9fb85SBrooks Davis.It Fl M Ar metalog
6448e9fb85SBrooks DavisSpecify the path of the METALOG file (default: $DESTDIR/METALOG).
65ccdcb388SKyle Evans.It Fl n
66ccdcb388SKyle EvansNo-Op mode, do not actually perform any actions.
67ccdcb388SKyle Evans.It Fl v
68*0199cbf6SMateusz PiotrowskiBe verbose, print details about actions before performing them.
6948e9fb85SBrooks Davis.It Fl U
7048e9fb85SBrooks DavisUnprivileged mode, do not change the ownership of created links.
7148e9fb85SBrooks DavisDo record the ownership in the METALOG file.
72ccdcb388SKyle Evans.El
73ccdcb388SKyle Evans.Pp
74ccdcb388SKyle EvansPrimary command functions:
75ccdcb388SKyle Evans.Bl -tag -width blacklisted
76ccdcb388SKyle Evans.It Ic list
77ccdcb388SKyle EvansList all currently trusted certificate authorities.
78ccdcb388SKyle Evans.It Ic blacklisted
79ccdcb388SKyle EvansList all currently blacklisted certificates.
80ccdcb388SKyle Evans.It Ic rehash
81ccdcb388SKyle EvansRebuild the list of trusted certificate authorities by scanning all directories
82ccdcb388SKyle Evansin
83ccdcb388SKyle Evans.Ev TRUSTPATH
84ccdcb388SKyle Evansand all blacklisted certificates in
85ccdcb388SKyle Evans.Ev BLACKLISTPATH .
86ccdcb388SKyle EvansA symbolic link to each trusted certificate is placed in
87ccdcb388SKyle Evans.Ev CERTDESTDIR
88ccdcb388SKyle Evansand each blacklisted certificate in
89ccdcb388SKyle Evans.Ev BLACKLISTDESTDIR .
90ccdcb388SKyle Evans.It Ic blacklist
91ccdcb388SKyle EvansAdd the specified file to the blacklist.
92ccdcb388SKyle Evans.It Ic unblacklist
93ccdcb388SKyle EvansRemove the specified file from the blacklist.
94ccdcb388SKyle Evans.El
95ccdcb388SKyle Evans.Sh ENVIRONMENT
96ccdcb388SKyle Evans.Bl -tag -width BLACKLISTDESTDIR
97ccdcb388SKyle Evans.It Ev DESTDIR
98ccdcb388SKyle EvansAlternate destination directory to operate on.
99ccdcb388SKyle Evans.It Ev TRUSTPATH
100ccdcb388SKyle EvansList of paths to search for trusted certificates.
101ccdcb388SKyle EvansDefault:
102ccdcb388SKyle Evans.Pa <DESTDIR>/usr/share/certs/trusted
103ccdcb388SKyle Evans.Pa <DESTDIR>/usr/local/share/certs <DESTDIR>/usr/local/etc/ssl/certs
104ccdcb388SKyle Evans.It Ev BLACKLISTPATH
105ccdcb388SKyle EvansList of paths to search for blacklisted certificates.
106ccdcb388SKyle EvansDefault:
107ccdcb388SKyle Evans.Pa <DESTDIR>/usr/share/certs/blacklisted
108ccdcb388SKyle Evans.Pa <DESTDIR>/usr/local/etc/ssl/blacklisted
109ccdcb388SKyle Evans.It Ev CERTDESTDIR
110ccdcb388SKyle EvansDestination directory for symbolic links to trusted certificates.
111ccdcb388SKyle EvansDefault:
112ccdcb388SKyle Evans.Pa <DESTDIR>/etc/ssl/certs
113ccdcb388SKyle Evans.It Ev BLACKLISTDESTDIR
114ccdcb388SKyle EvansDestination directory for symbolic links to blacklisted certificates.
115ccdcb388SKyle EvansDefault:
116ccdcb388SKyle Evans.Pa <DESTDIR>/etc/ssl/blacklisted
117ccdcb388SKyle Evans.It Ev EXTENSIONS
118ccdcb388SKyle EvansList of file extensions to read as certificate files.
119ccdcb388SKyle EvansDefault: *.pem *.crt *.cer *.crl *.0
120ccdcb388SKyle Evans.El
121ccdcb388SKyle Evans.Sh SEE ALSO
122ccdcb388SKyle Evans.Xr openssl 1
123ccdcb388SKyle Evans.Sh HISTORY
124ccdcb388SKyle Evans.Nm
125ccdcb388SKyle Evansfirst appeared in
126b0763b5dSMark Johnston.Fx 12.2
127ccdcb388SKyle Evans.Sh AUTHORS
128ccdcb388SKyle Evans.An Allan Jude Aq Mt allanjude@freebsd.org
129