FreeBSD Manual Pages
CERTCTL(8) System Manager's Manual CERTCTL(8) NAME certctl -- tool for managing trusted and untrusted TLS certificates SYNOPSIS certctl [-lv] list certctl [-lv] untrusted certctl [-BnUv] [-D destdir] [-M metalog] rehash certctl [-nv] untrust file ... certctl [-nv] trust file ... DESCRIPTION The certctl utility manages the list of TLS Certificate Authorities that are trusted by applications that use OpenSSL. The following options are available: -B Do not generate a bundle. This option is only valid in conjunc- tion with the rehash command. -D destdir Specify the DESTDIR (overriding values from the environment). -d distbase Specify the DISTBASE (overriding values from the environment). -l When listing installed (trusted or untrusted) certificates, show the full path and distinguished name for each certificate. -M metalog Specify the path of the METALOG file (default: ${DESTDIR}/METALOG). This option is only valid in conjunction with the rehash command. -n Dry-run mode. Do not actually perform any actions except write the metalog. -v Verbose mode. Print detailed information about each action taken. -U Unprivileged mode. Do not attempt to set the ownership of cre- ated files. This option is only valid in conjunction with the -M option and the rehash command. Primary command functions: list List all currently trusted certificates. untrusted List all currently untrusted certificates. rehash Rebuild the list of trusted certificates by scanning all di- rectories in TRUSTPATH and all untrusted certificates in UNTRUSTPATH. A copy of each trusted certificate is placed in CERTDESTDIR and each untrusted certificate in UNTRUSTDESTDIR. In addition, a bundle containing the trusted certificates is placed in BUNDLE. untrust Add the specified file to the untrusted list. trust Remove the specified file from the untrusted list. ENVIRONMENT DESTDIR Absolute path to an alternate destination directory to operate on instead of the file system root, e.g. "/tmp/install". DISTBASE Additional path component to include when operating on certificate directories. This must start with a slash, e.g. "/base". LOCALBASE Location for local programs. Defaults to the value of the user.localbase sysctl which is usually /usr/local. TRUSTPATH List of paths to search for trusted certificates. De- fault: ${DESTDIR}${DISTBASE}/usr/share/certs/trusted ${DESTDIR}${LOCALBASE}/share/certs/trusted ${DESTDIR}${LOCALBASE}/share/certs UNTRUSTPATH List of paths to search for untrusted certificates. Default: ${DESTDIR}${DISTBASE}/usr/share/certs/untrusted ${DESTDIR}${LOCALBASE}/share/certs/untrusted TRUSTDESTDIR Destination directory for symbolic links to trusted certificates. Default: ${DESTDIR}${DISTBASE}/etc/ssl/certs UNTRUSTDESTDIR Destination directory for symbolic links to untrusted certificates. Default: ${DESTDIR}${DISTBASE}/etc/ssl/untrusted BUNDLE File name of bundle to produce. Default: ${DESTDIR}${DISTBASE}/etc/ssl/cert.pem SEE ALSO openssl(1) HISTORY certctl first appeared in FreeBSD 12.2. AUTHORS The original shell implementation was written by Allan Jude <allanjude@FreeBSD.org>. The current C implementation was written by Dag-Erling Smorgrav <des@FreeBSD.org>. FreeBSD 15.0 October 9, 2025 CERTCTL(8)
NAME | SYNOPSIS | DESCRIPTION | ENVIRONMENT | SEE ALSO | HISTORY | AUTHORS
Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=certctl&sektion=8&manpath=FreeBSD+15.0-RELEASE+and+Ports>