1CA-LEGACY(8) CA-LEGACY(8)
2
3
4
6 ca-legacy - Manage the system configuration for legacy CA certificates
7
9 ca-legacy [COMMAND]
10
12 ca-legacy(8) is used to include or exclude a set of legacy Certificate
13 Authority (CA) certificates in the system’s list of trusted CA
14 certificates.
15
16 The list of CA certificates and trust flags included in the
17 ca-certificates package are based on the decisions made by Mozilla.org
18 according to the Mozilla CA policy.
19
20 Occasionally, removal or distrust decisions made by Mozilla.org might
21 be incompatible with the requirements or limitations of some
22 applications that also use the CA certificates list in the Linux
23 environment.
24
25 The ca-certificates package might keep some CA certificates included
26 and trusted by default, as long as it is seen necessary by the
27 maintainers, despite the fact that they have been removed by Mozilla.
28 These certificates are called legacy CA certificates.
29
30 The general requirements to keep legacy CA certificates included and
31 trusted might change over time, for example if functional limitations
32 of software packages have been resolved. Future versions of the
33 ca-certificates package might reduce the set of legacy CA certificates
34 that are included and trusted by default.
35
36 The ca-legacy(8) command can be used to override the default behaviour.
37
38 The mechanisms to individually trust or distrust CA certificates as
39 described in update-ca-trust(8) still apply.
40
42 check
43 The current configuration will be shown.
44
45 default
46 Configure the system to use the default configuration, as
47 recommended by the package maintainers.
48
49 disable
50 Configure the system to explicitly disable legacy CA certificates.
51 Using this configuration, the system will use the set of included
52 and trusted CA certificates as released by Mozilla.
53
54 install
55 The configuration file will be read and the system configuration
56 will be set accordingly. This command is executed automatically
57 during upgrades of the ca-certificates package.
58
60 /etc/pki/ca-trust/ca-legacy.conf
61 A configuration file that will be used and modified by the
62 ca-legacy command. The contents of the configuration file will be
63 read on package upgrades.
64
66 Written by Kai Engert.
67
68
69
70ca-legacy 07/24/2019 CA-LEGACY(8)