xref: /freebsd/usr.sbin/certctl/certctl.8 (revision 732a02b4e77866604a120a275c082bb6221bd2ff) 
1.\"
2.\" SPDX-License-Identifier: BSD-2-Clause-FreeBSD
3.\"
4.\" Copyright 2018 Allan Jude <allanjude@freebsd.org>
5.\"
6.\" Redistribution and use in source and binary forms, with or without
7.\" modification, are permitted providing that the following conditions
8.\" are met:
9.\" 1. Redistributions of source code must retain the above copyright
10.\"    notice, this list of conditions and the following disclaimer.
11.\" 2. Redistributions in binary form must reproduce the above copyright
12.\"    notice, this list of conditions and the following disclaimer in the
13.\"    documentation and/or other materials provided with the distribution.
14.\"
15.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
16.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
17.\" WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
19.\" DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
23.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
24.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
25.\" POSSIBILITY OF SUCH DAMAGE.
26.\"
27.\" $FreeBSD$
28.\"
29.Dd February 19, 2019
30.Dt CERTCTL 8
31.Os
32.Sh NAME
33.Nm certctl
34.Nd "tool for managing trusted and blacklist TLS certificates"
35.Sh SYNOPSIS
36.Nm
37.Op Fl v
38.Ic list
39.Nm
40.Op Fl v
41.Ic blacklisted
42.Nm
43.Op Fl nv
44.Ic rehash
45.Nm
46.Op Fl nv
47.Ic blacklist Ar file
48.Nm
49.Op Fl nv
50.Ic unblacklist Ar file
51.Sh DESCRIPTION
52The
53.Nm
54utility manages the list of TLS Certificate Authorities that are trusted by
55applications that use OpenSSL.
56.Pp
57Flags:
58.Bl -tag -width 4n
59.It Fl n
60No-Op mode, do not actually perform any actions.
61.It Fl v
62be verbose, print details about actions before performing them.
63.El
64.Pp
65Primary command functions:
66.Bl -tag -width blacklisted
67.It Ic list
68List all currently trusted certificate authorities.
69.It Ic blacklisted
70List all currently blacklisted certificates.
71.It Ic rehash
72Rebuild the list of trusted certificate authorities by scanning all directories
73in
74.Ev TRUSTPATH
75and all blacklisted certificates in
76.Ev BLACKLISTPATH .
77A symbolic link to each trusted certificate is placed in
78.Ev CERTDESTDIR
79and each blacklisted certificate in
80.Ev BLACKLISTDESTDIR .
81.It Ic blacklist
82Add the specified file to the blacklist.
83.It Ic unblacklist
84Remove the specified file from the blacklist.
85.El
86.Sh ENVIRONMENT
87.Bl -tag -width BLACKLISTDESTDIR
88.It Ev DESTDIR
89Alternate destination directory to operate on.
90.It Ev TRUSTPATH
91List of paths to search for trusted certificates.
92Default:
93.Pa <DESTDIR>/usr/share/certs/trusted
94.Pa <DESTDIR>/usr/local/share/certs <DESTDIR>/usr/local/etc/ssl/certs
95.It Ev BLACKLISTPATH
96List of paths to search for blacklisted certificates.
97Default:
98.Pa <DESTDIR>/usr/share/certs/blacklisted
99.Pa <DESTDIR>/usr/local/etc/ssl/blacklisted
100.It Ev CERTDESTDIR
101Destination directory for symbolic links to trusted certificates.
102Default:
103.Pa <DESTDIR>/etc/ssl/certs
104.It Ev BLACKLISTDESTDIR
105Destination directory for symbolic links to blacklisted certificates.
106Default:
107.Pa <DESTDIR>/etc/ssl/blacklisted
108.It Ev EXTENSIONS
109List of file extensions to read as certificate files.
110Default: *.pem *.crt *.cer *.crl *.0
111.El
112.Sh SEE ALSO
113.Xr openssl 1
114.Sh HISTORY
115.Nm
116first appeared in
117.Fx 12.0
118.Sh AUTHORS
119.An Allan Jude Aq Mt allanjude@freebsd.org
120