FreeBSD Manual Pages
CERTCTL(8) System Manager's Manual CERTCTL(8) NAME certctl -- tool for managing trusted and untrusted TLS certificates SYNOPSIS certctl [-lv] list certctl [-lv] untrusted certctl [-BnUv] [-D destdir] [-M metalog] rehash certctl [-nv] untrust file ... certctl [-nv] trust file ... DESCRIPTION The certctl utility manages the list of TLS Certificate Authorities that are trusted by applications that use OpenSSL. The following options are available: -B Do not generate a bundle. This option is only valid in conjunc- tion with the rehash command. -D destdir Specify the DESTDIR (overriding values from the environment). -d distbase Specify the DISTBASE (overriding values from the environment). -l When listing installed (trusted or untrusted) certificates, show the full path and distinguished name for each certificate. -M metalog Specify the path of the METALOG file (default: ${DESTDIR}/METALOG). This option is only valid in conjunction with the rehash command. -n Dry-run mode. Do not actually perform any actions except write the metalog. -v Verbose mode. Print detailed information about each action taken. -U Unprivileged mode. Do not attempt to set the ownership of cre- ated files. This option is only valid in conjunction with the -M option and the rehash command. Primary command functions: list List all currently trusted certificates. untrusted List all currently untrusted certificates. rehash Rebuild the list of trusted certificates by scanning all di- rectories in TRUSTPATH and all untrusted certificates in UNTRUSTPATH. A copy of each trusted certificate is placed in TRUSTDESTDIR and each untrusted certificate in UNTRUSTDESTDIR. In addition, a bundle containing the trusted certificates is placed in BUNDLE. untrust Add the specified file to the untrusted list. Note that the next rehash will remove it unless a copy of it is also placed somewhere in a directory included in UNTRUSTPATH. trust Add the specified file to the trusted list, unless it is al- ready untrusted. Note that the next rehash will remove it unless a copy of it is also placed somewhere in a directory included in TRUSTPATH. ENVIRONMENT DESTDIR Absolute path to an alternate destination directory to operate on instead of the file system root, e.g. "/tmp/install". DISTBASE Additional path component to include when operating on certificate directories. This must start with a slash, e.g. "/base". LOCALBASE Location for local programs. Defaults to the value of the user.localbase sysctl which is usually /usr/local. TRUSTPATH List of paths to search for trusted certificates. De- fault: ${DESTDIR}${DISTBASE}/usr/share/certs/trusted ${DESTDIR}${LOCALBASE}/share/certs/trusted ${DESTDIR}${LOCALBASE}/share/certs UNTRUSTPATH List of paths to search for untrusted certificates. Default: ${DESTDIR}${DISTBASE}/usr/share/certs/untrusted ${DESTDIR}${LOCALBASE}/share/certs/untrusted TRUSTDESTDIR Destination directory for symbolic links to trusted certificates. Default: ${DESTDIR}${DISTBASE}/etc/ssl/certs UNTRUSTDESTDIR Destination directory for symbolic links to untrusted certificates. Default: ${DESTDIR}${DISTBASE}/etc/ssl/untrusted BUNDLE File name of bundle to produce. Default: ${DESTDIR}${DISTBASE}/etc/ssl/cert.pem SEE ALSO openssl(1) HISTORY certctl first appeared in FreeBSD 12.2. AUTHORS The original shell implementation was written by Allan Jude <allanjude@FreeBSD.org>. The current C implementation was written by Dag-Erling Smorgrav <des@FreeBSD.org>. FreeBSD ports 15.1 April 24, 2026 CERTCTL(8)
NAME | SYNOPSIS | DESCRIPTION | ENVIRONMENT | SEE ALSO | HISTORY | AUTHORS
Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=certctl&sektion=8&manpath=FreeBSD+15.1-RELEASE+and+Ports>