On Fedora, I’m talking about the list displayed when you go to settings > manage certificates > authorities tab.
I’ve read that it should be in the NSS shared DB, but this command returns an empty list:
[<a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="cba7aabeb9aea5bf8ba7a4a8aaa7a3a4b8bf">[email protected]</a> nssdb]$ certutil -d sql:$HOME/.pki/nssdb -L
Answers:
Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.
Method 1
Those are NSS built-in certificates. They are provided through a shared library: /usr/lib/libnssckbi.so (path may be different on your system). That’s where Chrome gets them from.
You could list them with certutil like this:
Make a link to the library in ~/.pki/nssdb:
ln -s /usr/lib/libnssckbi.so ~/.pki/nssdb
Then run:
certutil -L -d sql:$HOME/.pki/nssdb/ -h 'Builtin Object Token'
Output:
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
Builtin Object Token:GTE CyberTrust Global Root C,C,C
Builtin Object Token:Thawte Server CA C,,C
Builtin Object Token:Thawte Premium Server CA C,,C
Builtin Object Token:Equifax Secure CA C,C,C
Builtin Object Token:Digital Signature Trust Co. Global CA 1 C,C,C
Builtin Object Token:Digital Signature Trust Co. Global CA 3 C,C,C
Builtin Object Token:Verisign Class 3 Public Primary Certification Authority C,C,C
Builtin Object Token:Verisign Class 1 Public Primary Certification Authority - G2 ,C,
Builtin Object Token:Verisign Class 2 Public Primary Certification Authority - G2 ,C,C
Builtin Object Token:Verisign Class 3 Public Primary Certification Authority - G2 C,C,C
Builtin Object Token:GlobalSign Root CA C,C,C
Builtin Object Token:GlobalSign Root CA - R2 C,C,C
Builtin Object Token:ValiCert Class 1 VA C,C,C
Builtin Object Token:ValiCert Class 2 VA C,C,C
Builtin Object Token:RSA Root Certificate 1 C,C,C
..................................................................
..................................................................
Method 2
It get’s them from the underlying operating system. You can read about it here:
excerpt from above link
Google Chrome attempts to use the root certificate store of the
underlying operating system to determine whether an SSL certificate
presented by a site is indeed trustworthy, with a few exceptions.
That page goes on to describe who to contact if you’re a root CA provider for the various OSes etc.
References
Method 3
In the off chance that you’re asking because you actually need to use the list of root CAs, here they are (unfortunately named only by index):
Individual Certificate Files
https://github.com/coolaj86/node-ssl-root-cas/tree/master/pems
Mozilla’s Big File of Certificates
http://mxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1
Scripts to Parse the Big File of Certificates
https://github.com/coolaj86/node-ssl-root-cas
https://github.com/bagder/curl/blob/master/lib/mk-ca-bundle.pl
http://curl.haxx.se/docs/mk-ca-bundle.html
General Information about extracting Mozilla’s Certificates File
http://curl.haxx.se/docs/caextract.html
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0