Re: Can security/ca_root_nss be retired?

From: Tomoaki AOKI <>
Date: Fri, 20 Jan 2023 09:35:31 UTC
On Fri, 20 Jan 2023 09:16:11 +0100
Andrea Venturoli <> wrote:

> On 1/19/23 18:04, Eugene Grosbein wrote:
> >> Given /usr/share/certs exists for all supported releases, is there any reason to keep the ca_root_nss port?
> Just my 2c...
> > Single port may be updates more frequently and easily than base system.
> I agree on this, but there's another problem.
> Base has single certs in /etc/ssl/certs, where I can add my own private 
> CAs' ones.
> Port provides a single bundled file in
> /usr/local/etc/ssl/cert.pem.
> This (at least in some cases) overrides completely the ones in 
> /etc/ssl/certs, so my own private CAs will not work anymore
> In the end, I have to delete /usr/local/etc/ssl/cert.pem every time the 
> port creates it (and currently I have found no way to prevent it from 
> doing this).
> So a port would be fine, possibly very appreciated, if it woulnd't 
> disrupt base/local.
>   bye
> 	av.
> Then there's www/p5-Mozilla-CA and possibly others...

Doesn't ETCSYMLINK option work?
As it's the default option, you need to install security/ca_root_nss
from ports with the option disabled, not pkg.

Possibly, somehow changing the priority within /etc/ssl/certs
and /usr/local/etc/ssl is necessary. Sorry, don't know how to do so.

Tomoaki AOKI    <>