List all available ssl ca certificates

It's not SSL keys you want, it's certificate authorities, and more precisely their certificates.

You could try:

awk -v cmd='openssl x509 -noout -subject' '
    /BEGIN/{close(cmd)};{print | cmd}' < /etc/ssl/certs/ca-certificates.crt

To get the "subject" of every CA certificate in /etc/ssl/certs/ca-certificates.crt

Beware that sometimes, you get that error when SSL servers forget to provide the intermediate certificates.

Use openssl s_client -showcerts -connect the-git-server:443 to get the list of certificates being sent.

Not sure about Gentoo but most distros put their certificates soft-link in system-wide location at /etc/ssl/certs.

• Key files go into /etc/ssl/private
• System-provided actual files are located at /usr/share/ca-certificates
• Custom certificates go into /usr/local/share/ca-certificates

Whenever you put a certificate in one of the above mentioned paths, run update-ca-certificates to update /etc/ssl/certs lists.

I had a requirement to list all the certs on our server and notify if they are due to expire. We came up with this command:

locate .pem | grep "\.pem$" | xargs -I{} openssl x509 -issuer -enddate -noout -in {}