On CentOS 6.5, in /etc/pki/tls/certs I have:
ca-bundle.crt
and
ca-bundle.trust.crt
With different file sizes. Which should I use as the trust path for nginx proxy_ssl_trusted_certificate.
SnapOverflow
ca-bundle.trust.crtholds certs with "extended validation".The difference between "normal" certs and certs with EV is that you EV certs need something like a personal or company validation by i.e. validating the identity of a person by his/her passport.
This means that if you want to get an EV cert you'll have to identify yourself to the cert issuer by i.e. your passport. If you "are" a company then an equivalent procedure (don't know it exactly) must happen. This is most essential for online banking: You must be sure that not only the server you connect to is certified but also the bank is certified.
Because of that the EV certs are more "complicated" and contain additional fields to "identify" not only the server but also the company.
To come back to your answer:
It depends on your usage. Most people should use
ca-bundle.crt. If you "are" a bank or an online shop which needs very high level of certification and "trust" then you should useca-bundle.trust.crt.After "exploding" the bundles using a little Perl script, then running
diff --side-by-sideon the certificate of the Government of Taiwan (as an example, taken only because it is the only certificate in the bundle withoutCNattribute in theIssuerandSubjectlines) (uses SHA1 but that's okay) we see the difference:ca-bundle.trust.crton the leftca-bundle.crton the right-----BEGIN TRUSTED CERTIFICATE----- | -----BEGIN CERTIFICATE----- MIIFcjCCA1qgAwIBAgIQH51ZWtcvwgZEpYAIaeNe9jANBgkqhkiG9w0BAQUFA MIIFcjCCA1qgAwIBAgIQH51ZWtcvwgZEpYAIaeNe9jANBgkqhkiG9w0BAQUFA ... LMDDav7v3Aun+kbfYNucpllQdSNpc5Oy+fwC00fmcc4QAu4njIT/rEUNE1yDM LMDDav7v3Aun+kbfYNucpllQdSNpc5Oy+fwC00fmcc4QAu4njIT/rEUNE1yDM pYYsfPQSMCMwFAYIKwYBBQUHAwQGCCsGAQUFBwMBDAtUYWl3YW4gR1JDQQ== | pYYsfPQS -----END TRUSTED CERTIFICATE----- | -----END CERTIFICATE----- Certificate: Certificate: Data: Data: Version: 3 (0x2) Version: 3 (0x2) Serial Number: Serial Number: 1f:9d:59:5a:d7:2f:c2:06:44:a5:80:08:69:e3:5e:f6 1f:9d:59:5a:d7:2f:c2:06:44:a5:80:08:69:e3:5e:f6 Signature Algorithm: sha1WithRSAEncryption Signature Algorithm: sha1WithRSAEncryption Issuer: C = TW, O = Government Root Certification Aut Issuer: C = TW, O = Government Root Certification Aut Validity Validity Not Before: Dec 5 13:23:33 2002 GMT Not Before: Dec 5 13:23:33 2002 GMT Not After : Dec 5 13:23:33 2032 GMT Not After : Dec 5 13:23:33 2032 GMT Subject: C = TW, O = Government Root Certification Au Subject: C = TW, O = Government Root Certification Au Subject Public Key Info: Subject Public Key Info: Public Key Algorithm: rsaEncryption Public Key Algorithm: rsaEncryption RSA Public-Key: (4096 bit) RSA Public-Key: (4096 bit) Modulus: Modulus: 00:9a:25:b8:ec:cc:a2:75:a8:7b:f7:ce:5b:59 00:9a:25:b8:ec:cc:a2:75:a8:7b:f7:ce:5b:59 ... ... 95:7a:98:c1:91:3c:95:23:b2:0e:f4:79:b4:c9 95:7a:98:c1:91:3c:95:23:b2:0e:f4:79:b4:c9 c1:4a:21 c1:4a:21 Exponent: 65537 (0x10001) Exponent: 65537 (0x10001) X509v3 extensions: X509v3 extensions: X509v3 Subject Key Identifier: X509v3 Subject Key Identifier: CC:CC:EF:CC:29:60:A4:3B:B1:92:B6:3C:FA:32:62: CC:CC:EF:CC:29:60:A4:3B:B1:92:B6:3C:FA:32:62: X509v3 Basic Constraints: X509v3 Basic Constraints: CA:TRUE CA:TRUE setCext-hashedRoot: setCext-hashedRoot: 0/0-...0...+......0...g*........"...(6....2.1 0/0-...0...+......0...g*........"...(6....2.1 Signature Algorithm: sha1WithRSAEncryption Signature Algorithm: sha1WithRSAEncryption 40:80:4a:fa:26:c9:ce:5e:30:dd:4f:86:74:76:58:f5:ae:b 40:80:4a:fa:26:c9:ce:5e:30:dd:4f:86:74:76:58:f5:ae:b ... ... e0:25:a5:86:2c:7c:f4:12 e0:25:a5:86:2c:7c:f4:12 Trusted Uses: < E-mail Protection, TLS Web Server Authentication < No Rejected Uses. < Alias: Taiwan GRCA <