CA and Trust Management

Create local Certificate Authorities, manage their lifecycle, and install them into system, Firefox, JVM, and Windows trust stores. This is the foundation of the Elide PKI -- everything else (generate, trust, verify) builds on top of the CA you create here.

---

Creating a CA

bash
 elide crt ca

This generates an ECDSA P-256 Certificate Authority named "Elide Local CA" with a 10-year validity period and saves it to the platform-specific PKI directory (typically ~/.local/share/elide/pki/ca/ on Linux). The CA can then sign leaf certificates via elide crt generate and be trusted system-wide via elide crt trust.

If a CA already exists, the command refuses to overwrite it and suggests using --show or --force.

Custom key type and validity

bash
 elide crt ca --key-type ecdsa-p384 --days 1825 --name "My Dev CA"

Supported key algorithms

ValueAlgorithmNotes
ecdsa-p256ECDSA with NIST P-256Default. Best balance of performance and compatibility
ecdsa-p384ECDSA with NIST P-384Stronger curve, slightly larger signatures
ed25519Edwards-curve Ed25519Fast signing, compact keys. Some older clients may not support it
Shorthand aliases are also accepted: p256 for ecdsa-p256, p384 for ecdsa-p384.

Proxy MITM CA

The forward proxy (elide fwd) uses a separate CA for TLS interception, isolating MITM-signed certificates from your development CA:

bash
 elide crt ca --proxy

This creates a second CA under the proxy-ca/ subdirectory with the name "Elide Local CA (Proxy)". The proxy CA and the main CA are managed independently -- each has its own certificate and private key.

Viewing an existing CA

Display the details of an existing CA without regenerating it:

bash
 elide crt ca --show

For the proxy CA:

bash
 elide crt ca --show --proxy

Output includes the subject, issuer, fingerprint (SHA-256), validity dates, key algorithm, and key usage. Add --json for structured output.

Certificate Transparency log

Enable an embedded CT log for the CA. When configured, every certificate issued by this CA is submitted to the log, and the resulting SCT (Signed Certificate Timestamp) is embedded in the certificate as an X.509 extension (OID 1.3.6.1.4.1.11129.2.4.2):

bash
 elide crt ca --ct-log ./ct-data
The embedded CT log is useful for testing Certificate Transparency pipelines locally. For production use, submit certificates to public CT logs (Google Argon, Cloudflare Nimbus, etc.) instead.

Overwriting an existing CA

By default, elide crt ca refuses to overwrite an existing CA. Use --force to regenerate:

bash
 elide crt ca --force
Overwriting a CA invalidates all certificates previously signed by it. Any trust store entries for the old CA will also need to be updated.

Custom output directory

Store the CA in a specific directory instead of the default PKI store:

bash
 elide crt ca --out-dir /opt/elide/pki

---

CLI reference: ca

elide crt ca [OPTIONS]
FlagDefaultDescription
—name Elide Local CACommon Name for the CA certificate
—days 3650Validity period in days (default: 10 years)
—key-type ecdsa-p256Key algorithm: ecdsa-p256, ecdsa-p384, or ed25519
—out-dir platform defaultOutput directory for CA files
—proxyfalseGenerate a separate MITM proxy CA
—showfalseDisplay existing CA info instead of generating a new one
—forcefalseOverwrite an existing CA
—ct-log noneEnable embedded CT log (provide data directory path)
—jsonfalseOutput in JSON format
---

Trusting a CA

Install the Elide local CA into your operating system's trust store so that certificates signed by it are accepted by browsers, curl, and other TLS clients:

bash
 sudo elide crt trust
On Linux and macOS, system trust store operations require root privileges. On Windows, the current-user store works without elevation; use —system for the machine-wide store (requires Administrator). Use —dry-run to preview the commands without executing them.

Platform support

Elide auto-detects the platform trust store:
PlatformBackendMechanism
Debian, Ubuntuupdate-ca-certificatesCopies to /usr/local/share/ca-certificates/
RHEL, Fedoraupdate-ca-trustCopies to /etc/pki/ca-trust/source/anchors/
Various Linuxp11-kit trustRuns trust anchor —store
macOSsecurity CLIAdds to the user or system keychain
Windowscertutil.exe / PowerShellImports into CurrentUser\Root or LocalMachine\Root

Trust a specific certificate file

Instead of the default Elide local CA, trust any PEM-encoded CA certificate:

bash
 sudo elide crt trust /path/to/custom-ca.crt

Trust the proxy CA

bash
 sudo elide crt trust --proxy

Firefox NSS store

Firefox uses its own per-profile certificate database (cert9.db). Use --firefox to install the CA into all detected Firefox profiles via certutil:

bash
 sudo elide crt trust --firefox

JVM trust store (cacerts)

Java applications use their own trust store (cacerts). Install the CA into it with --java:

bash
 sudo elide crt trust --java

If the JVM is not at the standard location, specify it:

bash
 sudo elide crt trust --java --java-home /usr/lib/jvm/java-21

The CA is imported with the alias elide-local-ca using keytool -importcert with the default keystore password (changeit).

Windows machine-wide store

On Windows, elide crt trust targets the current-user store by default. To install into the machine-wide LocalMachine\Root store (affects all users), add --system:

bash
 elide crt trust --system

This requires running as Administrator.

Dry run

Preview what would happen without making any changes:

bash
 elide crt trust --dry-run

This prints the exact file copies and system commands that would be executed, without running them.

---

CLI reference: trust

elide crt trust [OPTIONS] [FILE]
FlagDefaultDescription
FILEElide local CACA certificate file to trust (omit to use the Elide local CA)
—proxyfalseTrust the proxy MITM CA instead of the main CA
—firefoxfalseAlso install into the Firefox/NSS certificate store
—javafalseAlso install into the JVM trust store (cacerts)
—java-home $JAVA_HOMEJVM home directory (used with —java)
—systemfalseInstall into the machine-wide store (Windows: requires Administrator)
—dry-runfalseShow what would be done without executing
—jsonfalseOutput in JSON format
---

Removing trust

Remove the Elide local CA from the system trust store:

bash
 sudo elide crt untrust

Remove from all stores

Remove from the system trust store, the Firefox NSS database, and the JVM trust store in one command:

bash
 sudo elide crt untrust --all

Remove the proxy CA

bash
 sudo elide crt untrust --proxy

Dry run

bash
 elide crt untrust --dry-run

---

CLI reference: untrust

elide crt untrust [OPTIONS] [FILE]
FlagDefaultDescription
FILEElide local CACA certificate file to remove (omit to use the Elide local CA)
—proxyfalseRemove the proxy MITM CA
—firefoxfalseAlso remove from the Firefox/NSS certificate store
—javafalseAlso remove from the JVM trust store (cacerts)
—java-home $JAVA_HOMEJVM home directory (used with —java)
—allfalseRemove from all stores (system + Firefox NSS + JVM)
—systemfalseRemove from the machine-wide store (Windows: requires Administrator)
—dry-runfalseShow what would be done without executing
—jsonfalseOutput in JSON format
---

See also