ca-bundle.crt v ca-bundle.trust.crt

When an application requests the CA certificate bundle, the correct file to provide depends on:

  1. The application’s TLS library (OpenSSL, GnuTLS, NSS, etc.)
  2. Whether it expects trust flags (i.e., "trusted for server auth")
  3. The expected format (PEM, DER, trust-annotated PEM)

Let’s break it down.


🔍 When to Provide Which CA Bundle

Use Case / Application Provide This CA Bundle Why?
OpenSSL, curl, wget, git, dnf/yum /etc/ssl/certs/ca-bundle.crt
(on RHEL: symlink to /etc/pki/tls/certs/ca-bundle.crt)
OpenSSL expects plain PEM format
GnuTLS (used by GNOME apps, wget on Fedora), glib-networking /etc/pki/tls/certs/ca-bundle.trust.crt GnuTLS requires trust bits, supported in *.trust.crt
Firefox, NSS-based apps Internal NSS DB or /etc/pki/nssdb Uses its own cert store; must be updated via certutil
Python requests (via certifi) Use certifi.where() or override via REQUESTS_CA_BUNDLE Python uses its own vendored CA list unless overridden
Java (JVM) $JAVA_HOME/lib/security/cacerts (Java Keystore) Expects JKS or PKCS#12, not PEM — needs conversion
Go binaries (static) Uses system default (if dynamically linked) or may bundle its own Built-in Go TLS honors /etc/ssl/certs on Linux unless overridden

🧭 General Recommendation for Linux Systems


🔧 Custom Environment Variable Overrides (for applications)

If an app doesn’t pick up the right bundle:

export SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt
export REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-bundle.crt

Or in systemd units:

[Service]
Environment="SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt"

🛠️ Summary Table

Bundle Path Format Suitable For
/etc/ssl/certs/ca-bundle.crt PEM Most CLI tools (OpenSSL, curl, etc)
/etc/pki/tls/certs/ca-bundle.trust.crt PEM w/ trust GnuTLS, glib-networking
/etc/pki/nssdb/, Firefox profile DBs NSS DB Firefox, Thunderbird, some security tools
Java keystore (cacerts) JKS Java applications

✅ TL;DR

Most applications expect /etc/ssl/certs/ca-bundle.crt — the plain PEM file — unless you're using GnuTLS-based tools, NSS (like Firefox), or Java, which have different requirements.


Yes — most container images do include at least one CA bundle, especially if the image is based on a full Linux distribution (e.g., RHEL UBI, Alpine, Debian, etc.). Here's how and why:


Why CA Bundles Are Included in Container Images

Most containers need CA bundles for TLS certificate validation, including:

If the CA bundle is missing:


📦 Typical CA Bundle Locations in Container Images

Base Image Trust File Package Providing It
RHEL / UBI /etc/pki/tls/certs/ca-bundle.crt ca-certificates
Debian/Ubuntu /etc/ssl/certs/ca-certificates.crt ca-certificates
Alpine /etc/ssl/certs/ca-certificates.crt ca-certificates (musl/OpenSSL-based)

🔹 These are symlinks or files pointing to trusted root bundles maintained by each distro's update mechanism.


🧼 Are They Always Included?

Not always:


🧰 In Custom or Air-Gapped Containers

You may:


✅ TL;DR

Yes, container images typically include CA bundles, especially standard ones like ca-bundle.crt or ca-certificates.crt, so that tools and applications can validate HTTPS/TLS connections.

Minimal images might omit them for size, but in practice, most working containers need them — and you'll have to add them explicitly in custom or stripped-down images.

You're absolutely right — RHEL (and many other Linux systems) maintain two primary CA bundle files, and their differing sizes and contents serve distinct purposes.

Here’s what they are and why both exist:


📁 The Two Bundles in RHEL

1. /etc/ssl/certs/ca-bundle.crt

(Approx. 270–300 KB)


2. /etc/pki/tls/certs/ca-bundle.trust.crt

(Approx. 500–600 KB)


🧠 Why Two Bundles?

Feature ca-bundle.crt ca-bundle.trust.crt
Format PEM PEM + trust flags (OpenSSL + p11-kit)
Consumers OpenSSL, curl, git, etc. GnuTLS, GNOME apps, systemd, Firefox*
Trust metadata ❌ No ✅ Yes
Size Smaller (~300 KB) Larger (~600 KB)

🔄 How They’re Maintained

Both are regenerated via:

update-ca-trust extract

...which reads from:


🧩 In Air-Gapped or Hardened Systems

You can:


✅ TL;DR

RHEL provides two CA bundles:

You need both to ensure compatibility across all system libraries and tools.