CERTCTL(8)              FreeBSD System Manager's Manual             CERTCTL(8)

NAME
     certctl - tool for managing trusted and blacklist TLS certificates

SYNOPSIS
     certctl [-v] list
     certctl [-v] blacklisted
     certctl [-nUv] [-D destdir] [-M metalog] rehash
     certctl [-nv] blacklist file
     certctl [-nv] unblacklist file

DESCRIPTION
     The certctl utility manages the list of TLS Certificate Authorities that
     are trusted by applications that use OpenSSL.

     Flags:

     -D destdir
           Specify the DESTDIR (overriding values from the environment).

     -M metalog
           Specify the path of the METALOG file (default: $DESTDIR/METALOG).

     -n    No-Op mode, do not actually perform any actions.

     -v    Be verbose, print details about actions before performing them.

     -U    Unprivileged mode, do not change the ownership of created links.
           Do record the ownership in the METALOG file.

     Primary command functions:

     list         List all currently trusted certificate authorities.

     blacklisted  List all currently blacklisted certificates.

     rehash       Rebuild the list of trusted certificate authorities by
                  scanning all directories in TRUSTPATH and all blacklisted
                  certificates in BLACKLISTPATH.  A symbolic link to each
                  trusted certificate is placed in CERTDESTDIR and each
                  blacklisted certificate in BLACKLISTDESTDIR.

     blacklist    Add the specified file to the blacklist.

     unblacklist  Remove the specified file from the blacklist.

ENVIRONMENT
     DESTDIR           Alternate destination directory to operate on.

     TRUSTPATH         List of paths to search for trusted certificates.
                       Default: <DESTDIR>/usr/share/certs/trusted
                       <DESTDIR>/usr/local/share/certs
                       <DESTDIR>/usr/local/etc/ssl/certs

     BLACKLISTPATH     List of paths to search for blacklisted certificates.
                       Default: <DESTDIR>/usr/share/certs/blacklisted
                       <DESTDIR>/usr/local/etc/ssl/blacklisted

     CERTDESTDIR       Destination directory for symbolic links to trusted
                       certificates.  Default: <DESTDIR>/etc/ssl/certs

     BLACKLISTDESTDIR  Destination directory for symbolic links to blacklisted
                       certificates.  Default: <DESTDIR>/etc/ssl/blacklisted

     EXTENSIONS        List of file extensions to read as certificate files.
                       Default: *.pem *.crt *.cer *.crl *.0

SEE ALSO
     openssl(1)

HISTORY
     certctl first appeared in FreeBSD 12.2

AUTHORS
     Allan Jude <allanjude@freebsd.org>

FreeBSD 13.1-RELEASE-p6         January 7, 2021        FreeBSD 13.1-RELEASE-p6