This directory /usr/share/pki/ca-trust-source/ contains CA certificates and trust settings in the PEM file format. The trust settings found here will be interpreted with a low priority, lower than the ones found in /etc/pki/ca-trust/source. You may install additional certificates or bundles into this directory. Each file may contain one or many certificates and trust flags in a PEM file format, as documented in the x509(1) manual page. Allowed formats are: - The BEGIN/END CERTIFICATE file format. Such certificates will be trusted for TLS server auth, only. - The BEGIN/END TRUSTED CERTIFICATE file format. Such certificates will be trusted or distrusted according to the trust settings contained in the PEM format data blocks. Applications that are able to use PKCS#11 modules can dynamically use the merged set of certificates from /usr/share/pki/ca-trust-source/ and /etc/pki/ca-trust/source by loading p11-kit-trust.so Applications that rely on a static file for a list of trusted CAs may load one of the files found in the /etc/pki/ca-trust/extracted directory. After modifying the set of files stored in the /usr/share/pki/ca-trust-source/ or /etc/pki/ca-trust/source are modified, it is required to run the ca-update-trust command, in order to update the merged files in /etc/pki/ca-trust/extracted .