ca-legacy(8) is used to include or exclude a set of legacy Certificate Authority (CA) certificates in the system's list of trusted CA certificates.
The list of CA certificates and trust flags included in the ca-certificates package are based on the decisions made by Mozilla.org according to the Mozilla CA policy.
Occasionally, removal or distrust decisions made by Mozilla.org might be incompatible with the requirements or limitations of some applications that also use the CA certificates list in the Linux environment.
The ca-certificates package might keep some CA certificates included and trusted by default, as long as it is seen necessary by the maintainers, despite the fact that they have been removed by Mozilla. These certificates are called legacy CA certificates.
The general requirements to keep legacy CA certificates included and trusted might change over time, for example if functional limitations of software packages have been resolved. Future versions of the ca-certificates package might reduce the set of legacy CA certificates that are included and trusted by default.
The ca-legacy(8) command can be used to override the default behaviour.
The mechanisms to individually trust or distrust CA certificates as described in update-ca-trust(8) still apply.
Written by Kai Engert.