Fedora Server 37 CA certificate store most equivalent to LocalMachine\root

cn flag

Fedora Server 37 CA certificate store most equivalent to LocalMachine\root in a Windows environment?

Background notes: I have plenty of experience in the Windows area for certificate management, but Fedora Server is a bit of a new beast. I am learning the nuances of such experiences as certutil as I recently setup and managed to get working (through sheer force of will and determination, many sealert and ldap/sssd google search related sleepless nights, literally) an ldap based login mechanism. I would now like to make sure that I actually installed things where they need to go, so I am looking to make sure I put the certificates where they belong.

In the interest of proper-long tail, I would like to add a separate question for each of LocalMachine\my and LocalMachine\root, LocalMachine\ca type stores, but we can list the equivalencies here as well.

Target goal:

  1. I have acquired a LetsEncrypt certificate. As it renews, I would like to update that certificate as required into the appropriate folder to ensure that my signing chaing remains up to date for the services I am using, and would like to use the most centralized system location that I can.
  2. I would like to avoid having to manually define where to find files in each service's configuration file, instead allowing the built in chain structure to automatically find the required certificates in the expected default locations.
    1. This assumes that all software built for this distro expects to find the certs in the same common folders. A stretch of the imagination, I know.
    2. Alternately, I would like to use the same location for every certificate configuration instead of using app-specific folders.
  3. I would like to have users that need to reference the public files from Let's Encrypt also have access to the same public certificates.
  4. Remove custom configuration in /etc/openldap/ldap.conf, /etc/sssd/sssd.conf, etc that may require the common certificates
  5. Avoid having to use certutil to copy files to local application certificate databases where possible.


  • Fedora Server 37
  • LetsEncrypt certificate collection in /etc/letsencrypt/live//
  • Configured /etc/openldap/ldap.conf
    • Presumably outside the scope of this question, I will create a new post once I get this post correctly configured
  • Configured /etc/sssd/sssd.conf
    • Presumably outside the scope of this question, I will create a new post once I get this post correctly configured

I think that what I want is to put the following files in the following folders:

  • /etc/letsencrypt/live//chain.cert
    • Equivalent on Windows: LocalMachine\TrustRoot (Intermediate Certification Authorities)
    • copy to /etc/pki/CA/certs
  • /etc/letsencrypt/live//fullchain.cert
    • Equivalent on Windows: LocalMachine\Root (Trusted Root Certification Authorities)
    • Because this is Let's Encrypt, it appears that the Fedora Server 37 distro already has the root IG_Root_X1.pem that I need here
    • copy to /etc/pki/ca-trust/source/anchors/
    • copy to /usr/share/pki/ca-trust-source/anchors/
    • run update_ca_trust extract to allow it to extract both sets of certificates into the appropriate stores
  • restorecon some magic string here


  1. Have I made the correct assumptions above?
  2. Do I need to add any commands after copying any of the files to the above locations?
  3. What restorecon command do I need to run after copying files or running update_ca_trust?
  4. Should symlinking in appropriate locations likely be enough once I do this for any apps that demand the cert be placed in an alternate location, or will I probably have to fall back to certutil into the appropriate folder?
sk flag
I would advise against using Fedora for a server. Use RHEL, Rocky, Alma, or one of the other stable RHEL-based distributions if you want the RHEL ecosystem. The default location for certs and related in RHEL is `/etc/pki`, which you found already. Most apps should be easy enough to configure for that folder. Whatever mechanism you use to renew certs (certbot,, etc) typically has to notify apps that the cert has changed (typically a HUP signal, depends on the app). Symlinks are always a good idea, especially if something is in a non-standard location.
jcolebrand avatar
cn flag
I appreciate that you do not personally prefer to run Fedora as a server, but I see no reason why using Fedora Server should be frowned upon. This is partially intended to be a learning opportunity, and partially personal preference. What I wanted was a) long-tail and b) to make sure I understood if I were following expected patterns. Don't suppose you have any feedback on my actual questions? The long tail is giving me the sad, since SEO spam is so high nowadays.
I sit in a Tesla and translated this thread with Ai:


Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.