So for the avoidance of doubt, every independent distro has its own custom ca-certificates package with no shared history. I know Debian, Fedora, and openSUSE all have their own completely separate upstreams. Looking at what Fedora does is probably a good idea indeed, just keep in mind it has no shared history with Debian's package. I took a quick look at openSUSE's package and it looks like it has good p11-kit integration as well. Arch uses Fedora; not sure about other independent distros. They all use Mozilla's certificates, but Mozilla doesn't release a package in a way that's directly usable by distros.
Debian's ca-certificates implements certificate blacklisting by putting a ! character at the start of a line in /etc/ca-certificates.conf (which doesn't exist on other distros). Once a certificate is removed, it stays removed, see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=743339 which was never fixed. ** Bug watch added: Debian Bug tracker #743339 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=743339 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1647285 Title: SSL trust not system-wide To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1647285/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs