GSP
Quick Navigator
Search Site

Unix VPS
A - Starter
B - Basic
C - Preferred
D - Commercial
MPS - Dedicated
* Sign Up! *

Support
Customer Portal
Contact Us
Online Help
Handbooks
Domain Status
Man Pages

FAQ
Virtual Servers
Pricing
Billing
Technical

Network
Facilities
Connectivity
Topology Map

Miscellaneous
Server Agreement
Year 2038
Credits
 

USA Flag

 

 

Man Pages
CERTCTL(8) FreeBSD System Manager's Manual CERTCTL(8)

certctltool for managing trusted and untrusted TLS certificates

certctl [-lv] list

certctl [-lv] untrusted

certctl [-BnUv] [-D destdir] [-M metalog] rehash

certctl [-nv] untrust file ...

certctl [-nv] trust file ...

The certctl utility manages the list of TLS Certificate Authorities that are trusted by applications that use OpenSSL.

The following options are available:

Do not generate a bundle. This option is only valid in conjunction with the rehash command.
destdir
Specify the DESTDIR (overriding values from the environment).
distbase
Specify the DISTBASE (overriding values from the environment).
When listing installed (trusted or untrusted) certificates, show the full path and distinguished name for each certificate.
metalog
Specify the path of the METALOG file (default: ${DESTDIR}/METALOG). This option is only valid in conjunction with the rehash command.
Dry-run mode. Do not actually perform any actions except write the metalog.
Verbose mode. Print detailed information about each action taken.
Unprivileged mode. Do not attempt to set the ownership of created files. This option is only valid in conjunction with the -M option and the rehash command.

Primary command functions:

List all currently trusted certificates.
List all currently untrusted certificates.
Rebuild the list of trusted certificates by scanning all directories in TRUSTPATH and all untrusted certificates in UNTRUSTPATH. A copy of each trusted certificate is placed in TRUSTDESTDIR and each untrusted certificate in UNTRUSTDESTDIR. In addition, a bundle containing the trusted certificates is placed in BUNDLE.
Add the specified file to the untrusted list. Note that the next rehash will remove it unless a copy of it is also placed somewhere in a directory included in UNTRUSTPATH.
Add the specified file to the trusted list, unless it is already untrusted. Note that the next rehash will remove it unless a copy of it is also placed somewhere in a directory included in TRUSTPATH.

Absolute path to an alternate destination directory to operate on instead of the file system root, e.g. “/tmp/install”.
Additional path component to include when operating on certificate directories. This must start with a slash, e.g. “/base”.
Location for local programs. Defaults to the value of the user.localbase sysctl which is usually /usr/local.
List of paths to search for trusted certificates. Default: ${DESTDIR}${DISTBASE}/usr/share/certs/trusted ${DESTDIR}${LOCALBASE}/share/certs/trusted ${DESTDIR}${LOCALBASE}/share/certs
List of paths to search for untrusted certificates. Default: ${DESTDIR}${DISTBASE}/usr/share/certs/untrusted ${DESTDIR}${LOCALBASE}/share/certs/untrusted
Destination directory for symbolic links to trusted certificates. Default: ${DESTDIR}${DISTBASE}/etc/ssl/certs
Destination directory for symbolic links to untrusted certificates. Default: ${DESTDIR}${DISTBASE}/etc/ssl/untrusted
File name of bundle to produce. Default: ${DESTDIR}${DISTBASE}/etc/ssl/cert.pem

openssl(1)

certctl first appeared in FreeBSD 12.2.

The original shell implementation was written by Allan Jude <allanjude@FreeBSD.org>. The current C implementation was written by Dag-Erling Smørgrav <des@FreeBSD.org>.

April 24, 2026 FreeBSD 15.1-RELEASE
Search for    or go to Top of page |  Section 8 |  Main Index

Powered by GSP Visit the GSP FreeBSD Man Page Interface.
Output converted with ManDoc.