Choosing Between ca-bundle.crt vs ca-bundle.trust.crt for Nginx SSL Trusted Certificate Configuration on CentOS


2 views

In CentOS 6.5's /etc/pki/tls/certs directory, you'll find two important certificate bundles:

ca-bundle.crt          # Comprehensive bundle containing all CA certificates
ca-bundle.trust.crt    # Smaller subset of explicitly trusted root certificates

The ca-bundle.crt contains:

  • All trusted root certificates
  • Intermediate CA certificates
  • Some cross-signed certificates

While ca-bundle.trust.crt includes:

  • Only the most trusted root certificates
  • Certificates explicitly marked as trusted by the distribution

For proxy_ssl_trusted_certificate in Nginx, we recommend:

# For most production scenarios (strict validation):
proxy_ssl_trusted_certificate /etc/pki/tls/certs/ca-bundle.trust.crt;

# When you need broader compatibility (development/testing):
proxy_ssl_trusted_certificate /etc/pki/tls/certs/ca-bundle.crt;

You can inspect the certificates in each bundle:

# View all certificates in the trust bundle:
openssl crl2pkcs7 -nocrl -certfile /etc/pki/tls/certs/ca-bundle.trust.crt | openssl pkcs7 -print_certs -text -noout

# Count certificates in each bundle:
grep -c "BEGIN CERTIFICATE" /etc/pki/tls/certs/ca-bundle.crt
grep -c "BEGIN CERTIFICATE" /etc/pki/tls/certs/ca-bundle.trust.crt

The smaller ca-bundle.trust.crt offers:

  • Faster SSL handshake as fewer certificates need evaluation
  • More stringent security by excluding less-trusted CAs
  • Smaller memory footprint for Nginx worker processes

In CentOS 6.5's /etc/pki/tls/certs directory, you'll find two distinct certificate bundles:

ca-bundle.crt      # Contains all trusted CA certificates
ca-bundle.trust.crt # Contains only explicitly trusted CAs (smaller subset)

The main distinction lies in their contents and intended use:

  • ca-bundle.crt: Comprehensive collection including:
    • All globally trusted root CAs
    • Intermediate certificates
    • Some locally-added certificates
  • ca-bundle.trust.crt: Curated subset containing:
    • Only actively maintained root CAs
    • Certificates passing additional trust validation
    • Excludes deprecated/revoked certificates

For proxy_ssl_trusted_certificate directive, use ca-bundle.trust.crt because:

# Sample nginx configuration
proxy_ssl_trusted_certificate /etc/pki/tls/certs/ca-bundle.trust.crt;
proxy_ssl_verify on;
proxy_ssl_verify_depth 2;

Consider ca-bundle.crt in these scenarios:

# When dealing with legacy systems
ssl_client_certificate /etc/pki/tls/certs/ca-bundle.crt;

# For applications requiring backward compatibility
ssl_trusted_certificate /etc/pki/tls/certs/ca-bundle.crt;

Check certificate counts to confirm the difference:

# Count certificates in each bundle
grep -c 'BEGIN CERTIFICATE' ca-bundle.crt
grep -c 'BEGIN CERTIFICATE' ca-bundle.trust.crt

The smaller .trust version provides:

  • Reduced attack surface (fewer trusted roots)
  • Better compliance with current security standards
  • Protection against certificates from discontinued CAs