Update Root Certificates

What the root certificate updater does

This Automox Worklet™ updates the ca-certificates package on Linux endpoints to refresh the system's trusted root certificate authority store. The Worklet detects whether the endpoint uses yum (RHEL, CentOS, Amazon Linux) or apt-get (Debian, Ubuntu) and runs the appropriate update command.

For yum-based systems, it runs yum update ca-certificates. For apt-based systems, it first runs apt-get update to refresh package lists, then apt-get --only-upgrade install ca-certificates to update only the CA package without affecting other system packages.

Why keep root certificates current

Root certificates are the foundation of SSL/TLS trust. When a root certificate expires or is replaced, applications using the old bundle cannot verify connections to websites and services signed by the new certificates. This causes "certificate verify failed" errors that break critical operations.

Certificate authorities periodically rotate their root certificates for security reasons. Applications and services also obtain new certificates from different CAs as part of normal operations. Keeping the CA bundle current prevents unexpected connectivity failures.

Outdated CA bundles can also contain revoked or compromised certificates. Updating the bundle removes these untrusted certificates, preventing connections to potentially malicious servers that use them.

How certificate bundle updating works

1. Evaluation phase: Always triggers remediation (exit 1) to check for updates. The package manager determines if an update is actually available.

2. Remediation phase: Uses which to detect the available package manager. If yum is found, runs yum update ca-certificates -y -q. If apt-get is found, runs apt-get update -y -qq followed by apt-get --only-upgrade install ca-certificates -y -qq. Reports success or failure of the update operation.

Certificate update requirements

• Linux endpoints with yum or apt-get package manager

• Network connectivity to package repositories

• Root privileges for the Automox agent

• ca-certificates package installed on the endpoint

• Compatible with workstations and servers

Expected SSL/TLS state after update

After remediation, the ca-certificates package is at the latest version available in the distribution's repositories. Verify with rpm -q ca-certificates (RHEL/CentOS) or apt-cache policy ca-certificates (Debian/Ubuntu) to see the installed version.

Applications using the system CA bundle can now verify certificates signed by the latest root CAs. Connectivity issues caused by outdated certificates are resolved. No restart is required; applications pick up the new certificates on their next connection attempt.

How to validate update root certificates changes

1. Run this Worklet on a pilot Linux endpoint and review evaluation output for update root certificates.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as exit.

4. Validate remediation effects from script operations such as else, elif, apt-get, then rerun evaluation for compliance.

For technical validation, compare endpoint state to the Worklet evaluation logic and remediation flow for update root certificates. This supports repeatable security workflows, faster change control review, and auditable compliance evidence.

Useful script references for this Worklet include evaluation operations such as exit and remediation operations such as else, elif, apt-get. Use these indicators to verify that endpoint changes match intended policy outcomes.

For technical validation, compare endpoint state to the Worklet evaluation logic and remediation flow for update root certificates. This supports repeatable security workflows, faster change control review, and auditable compliance evidence.

Useful script references for this Worklet include evaluation operations such as exit and remediation operations such as else, elif, apt-get. Use these indicators to verify that endpoint changes match intended policy outcomes.