1ccdcb388SKyle Evans.\" 2*4d846d26SWarner Losh.\" SPDX-License-Identifier: BSD-2-Clause 3ccdcb388SKyle Evans.\" 4ccdcb388SKyle Evans.\" Copyright 2018 Allan Jude <allanjude@freebsd.org> 5ccdcb388SKyle Evans.\" 6ccdcb388SKyle Evans.\" Redistribution and use in source and binary forms, with or without 7ccdcb388SKyle Evans.\" modification, are permitted providing that the following conditions 8ccdcb388SKyle Evans.\" are met: 9ccdcb388SKyle Evans.\" 1. Redistributions of source code must retain the above copyright 10ccdcb388SKyle Evans.\" notice, this list of conditions and the following disclaimer. 11ccdcb388SKyle Evans.\" 2. Redistributions in binary form must reproduce the above copyright 12ccdcb388SKyle Evans.\" notice, this list of conditions and the following disclaimer in the 13ccdcb388SKyle Evans.\" documentation and/or other materials provided with the distribution. 14ccdcb388SKyle Evans.\" 15ccdcb388SKyle Evans.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 16ccdcb388SKyle Evans.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 17ccdcb388SKyle Evans.\" WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 18ccdcb388SKyle Evans.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY 19ccdcb388SKyle Evans.\" DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 20ccdcb388SKyle Evans.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 21ccdcb388SKyle Evans.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 22ccdcb388SKyle Evans.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 23ccdcb388SKyle Evans.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 24ccdcb388SKyle Evans.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 25ccdcb388SKyle Evans.\" POSSIBILITY OF SUCH DAMAGE. 26ccdcb388SKyle Evans.\" 27ccdcb388SKyle Evans.\" $FreeBSD$ 28ccdcb388SKyle Evans.\" 29232cf6beSJessica Clarke.Dd July 13, 2022 30ccdcb388SKyle Evans.Dt CERTCTL 8 31ccdcb388SKyle Evans.Os 32ccdcb388SKyle Evans.Sh NAME 33ccdcb388SKyle Evans.Nm certctl 3464e6e1e4SCeri Davies.Nd "tool for managing trusted and untrusted TLS certificates" 35ccdcb388SKyle Evans.Sh SYNOPSIS 36ccdcb388SKyle Evans.Nm 37ccdcb388SKyle Evans.Op Fl v 38ccdcb388SKyle Evans.Ic list 39ccdcb388SKyle Evans.Nm 40ccdcb388SKyle Evans.Op Fl v 4164e6e1e4SCeri Davies.Ic untrusted 42ccdcb388SKyle Evans.Nm 4348e9fb85SBrooks Davis.Op Fl nUv 4448e9fb85SBrooks Davis.Op Fl D Ar destdir 4548e9fb85SBrooks Davis.Op Fl M Ar metalog 46ccdcb388SKyle Evans.Ic rehash 47ccdcb388SKyle Evans.Nm 48ccdcb388SKyle Evans.Op Fl nv 4964e6e1e4SCeri Davies.Ic untrust Ar file 50ccdcb388SKyle Evans.Nm 51ccdcb388SKyle Evans.Op Fl nv 5264e6e1e4SCeri Davies.Ic trust Ar file 53ccdcb388SKyle Evans.Sh DESCRIPTION 54ccdcb388SKyle EvansThe 55ccdcb388SKyle Evans.Nm 56ccdcb388SKyle Evansutility manages the list of TLS Certificate Authorities that are trusted by 57ccdcb388SKyle Evansapplications that use OpenSSL. 58ccdcb388SKyle Evans.Pp 59ccdcb388SKyle EvansFlags: 60ccdcb388SKyle Evans.Bl -tag -width 4n 6148e9fb85SBrooks Davis.It Fl D Ar destdir 6248e9fb85SBrooks DavisSpecify the DESTDIR (overriding values from the environment). 63232cf6beSJessica Clarke.It Fl d Ar distbase 64232cf6beSJessica ClarkeSpecify the DISTBASE (overriding values from the environment). 6548e9fb85SBrooks Davis.It Fl M Ar metalog 6648e9fb85SBrooks DavisSpecify the path of the METALOG file (default: $DESTDIR/METALOG). 67ccdcb388SKyle Evans.It Fl n 68ccdcb388SKyle EvansNo-Op mode, do not actually perform any actions. 69ccdcb388SKyle Evans.It Fl v 700199cbf6SMateusz PiotrowskiBe verbose, print details about actions before performing them. 7148e9fb85SBrooks Davis.It Fl U 7248e9fb85SBrooks DavisUnprivileged mode, do not change the ownership of created links. 7348e9fb85SBrooks DavisDo record the ownership in the METALOG file. 74ccdcb388SKyle Evans.El 75ccdcb388SKyle Evans.Pp 76ccdcb388SKyle EvansPrimary command functions: 7764e6e1e4SCeri Davies.Bl -tag -width untrusted 78ccdcb388SKyle Evans.It Ic list 79ccdcb388SKyle EvansList all currently trusted certificate authorities. 8064e6e1e4SCeri Davies.It Ic untrusted 8164e6e1e4SCeri DaviesList all currently untrusted certificates. 82ccdcb388SKyle Evans.It Ic rehash 83ccdcb388SKyle EvansRebuild the list of trusted certificate authorities by scanning all directories 84ccdcb388SKyle Evansin 85ccdcb388SKyle Evans.Ev TRUSTPATH 8664e6e1e4SCeri Daviesand all untrusted certificates in 8764e6e1e4SCeri Davies.Ev UNTRUSTPATH . 88ccdcb388SKyle EvansA symbolic link to each trusted certificate is placed in 89ccdcb388SKyle Evans.Ev CERTDESTDIR 9064e6e1e4SCeri Daviesand each untrusted certificate in 9164e6e1e4SCeri Davies.Ev UNTRUSTDESTDIR . 9264e6e1e4SCeri Davies.It Ic untrust 9364e6e1e4SCeri DaviesAdd the specified file to the untrusted list. 9464e6e1e4SCeri Davies.It Ic trust 9564e6e1e4SCeri DaviesRemove the specified file from the untrusted list. 96ccdcb388SKyle Evans.El 97ccdcb388SKyle Evans.Sh ENVIRONMENT 9864e6e1e4SCeri Davies.Bl -tag -width UNTRUSTDESTDIR 99ccdcb388SKyle Evans.It Ev DESTDIR 100ccdcb388SKyle EvansAlternate destination directory to operate on. 101232cf6beSJessica Clarke.It Ev DISTBASE 102232cf6beSJessica ClarkeAdditional path component to include when operating on certificate directories. 103ccdcb388SKyle Evans.It Ev TRUSTPATH 104ccdcb388SKyle EvansList of paths to search for trusted certificates. 105ccdcb388SKyle EvansDefault: 106232cf6beSJessica Clarke.Pa <DESTDIR><DISTBASE>/usr/share/certs/trusted 107232cf6beSJessica Clarke.Pa <DESTDIR><DISTBASE>/usr/local/share/certs 108232cf6beSJessica Clarke.Pa <DESTDIR><DISTBASE>/usr/local/etc/ssl/certs 10964e6e1e4SCeri Davies.It Ev UNTRUSTPATH 11064e6e1e4SCeri DaviesList of paths to search for untrusted certificates. 111ccdcb388SKyle EvansDefault: 112232cf6beSJessica Clarke.Pa <DESTDIR><DISTBASE>/usr/share/certs/untrusted 113232cf6beSJessica Clarke.Pa <DESTDIR><DISTBASE>/usr/local/etc/ssl/untrusted 114232cf6beSJessica Clarke.Pa <DESTDIR><DISTBASE>/usr/local/etc/ssl/blacklisted 115ccdcb388SKyle Evans.It Ev CERTDESTDIR 116ccdcb388SKyle EvansDestination directory for symbolic links to trusted certificates. 117ccdcb388SKyle EvansDefault: 118232cf6beSJessica Clarke.Pa <DESTDIR><DISTBASE>/etc/ssl/certs 11964e6e1e4SCeri Davies.It Ev UNTRUSTDESTDIR 12064e6e1e4SCeri DaviesDestination directory for symbolic links to untrusted certificates. 121ccdcb388SKyle EvansDefault: 122232cf6beSJessica Clarke.Pa <DESTDIR><DISTBASE>/etc/ssl/untrusted 123ccdcb388SKyle Evans.It Ev EXTENSIONS 124ccdcb388SKyle EvansList of file extensions to read as certificate files. 125ccdcb388SKyle EvansDefault: *.pem *.crt *.cer *.crl *.0 126ccdcb388SKyle Evans.El 127ccdcb388SKyle Evans.Sh SEE ALSO 128ccdcb388SKyle Evans.Xr openssl 1 129ccdcb388SKyle Evans.Sh HISTORY 130ccdcb388SKyle Evans.Nm 131ccdcb388SKyle Evansfirst appeared in 132b0763b5dSMark Johnston.Fx 12.2 133ccdcb388SKyle Evans.Sh AUTHORS 134ccdcb388SKyle Evans.An Allan Jude Aq Mt allanjude@freebsd.org 135