This page provides test cases for distrusted certificates, in particular when using a Fedora (or RHEL) Linux system.

(If you're new to this topic, you might be interesting in the following manual page, which explains how the CA certificates trust store works on Fedora/RHEL: man update-ca-trust)

This page will tell you to copy files with root permissions into your /etc/pki/ca-trust/source/ directory. Usually, you shouldn't follow instructions from random Internet pages that tell you you do that. It's dangerous, because it can be used by an attacker to trick you into visiting a malicious website, although it might appear to be a legitimate website.

Only follow these instructions if you understand what you're doing, and clean up after you have tested. (By removing the files that you're installing as part of these instructions.) Or even better, use a separate test system for executing these tests, not your usual work computer.


Download this file named test-ca-ueberhaecker-constraint.txt, and using root (or sudo) permissions, copy it to:


Download this file named test-ca-host2.txt, and using root (or sudo) permissions, copy it to:


With root permissions, execute this command:



We will access the following hostnames using the https protocol, using various software, and below are the IDEAL expectations:

Using Firefox, click the following links:

Using NSS tstclnt:

Create a text file that we'll use in the later commands:

echo -e "\n\n" > /tmp/req.txt

Now execute the following commands exactly as given (copy/paste whole line to terminal)

Using curl. The result might vary, depending on which crypto library implementation is configured to use.

Using openssl s_client:

Using gnutls-cli: