SSL/TLS Trust Store Configuration Checklist
Overview
Verify CA bundles, intermediate chains, and trust store paths are correctly configured across Linux, Windows, macOS, Java, Node.js, Python, and Docker environments.
Table of Contents
- Trust Store Locations by Platform
- Linux CA Bundle Verification
- Windows Certificate Store Audit
- macOS Keychain Configuration
- Java Trust Store (cacerts) Checks
- Node.js and Python Trust Configuration
- Docker and Container Trust
- Cross-Platform Validation
Overview
Trust store misconfiguration is the silent cause behind countless “certificate verify failed” errors. Every platform maintains its own trust store with different paths, formats, and update mechanisms. Linux uses PEM bundles in /etc/ssl/certs, Windows has its own certificate store, Java ignores both and uses its own cacerts file, and Node.js can use either the system store or a bundled Mozilla set depending on the version.
This checklist provides a systematic verification procedure for each platform and runtime. Use it when deploying new services, onboarding corporate CAs, or debugging TLS failures that only occur on specific platforms. Each item tells you exactly what to check, where to find it, and what correct configuration looks like.
Particularly valuable for teams managing hybrid environments where the same application runs across multiple platforms.
What’s Included
- Trust store file paths and formats for every major platform (Linux, Windows, macOS)
- Verification commands to confirm specific CA certificates are present and trusted
- Java cacerts audit procedure including checking for expired or untrusted entries
- Node.js NODE_EXTRA_CA_CERTS and —use-openssl-ca configuration verification
- Python requests, urllib3, and certifi bundle configuration checks
- Docker base image trust store verification and custom CA injection patterns