Hi, On Thu, 2026-05-14 at 01:26 +0000, Stuart Henderson wrote: > On 2026-05-12, Igor Zornik <[email protected]> wrote: > > Would it make sense to have cert.base.pem instead of cert.pem and > > folder > > /etc/ssl/ssl.d where you would store all the other trusted CAs? Then > > you would run a utility "newcerts" (akin to newaliases) that creates > > cert.pem which is an amalgamation of system provided certificates > > plus > > everything in folder ssl.d. > > Separate files within a directory is much more difficult because you > need to be able to _remove_ CAs with OS updates, and our standard > mechanism for applying updates is tar. > >
Maybe I misunderstood you, but ssl.d folder's purpose would be a place to provide your own additional certificates. It would be read-only by the system. Something like /etc/login.conf.d. This applies only to the part of trusting additional certs, not distrusting existing ones. Then if a utility like newcerts would exist, it would merge cert.pem and ssl.d/*. You could even hook it to sysupgrade. In essence, a glorified "cat cert.base.pem ssl.d/* > cert.pem".
