Re: Can security/ca_root_nss be retired?

From: Hajimu UMEMOTO <>
Date: Fri, 20 Jan 2023 11:17:31 UTC

On Fri, 20 Jan 2023 17:16:11 +0900, Andrea Venturoli wrote:
> Base has single certs in /etc/ssl/certs, where I can add my own
> private CAs' ones.
> Port provides a single bundled file in
> /usr/local/etc/ssl/cert.pem.
> This (at least in some cases) overrides completely the ones in
> /etc/ssl/certs, so my own private CAs will not work anymore
> In the end, I have to delete /usr/local/etc/ssl/cert.pem every time
> the port creates it (and currently I have found no way to prevent it
> from doing this).

You can put your private CAs into /usr/local/etc/ssl/certs.
Running "certctl rehash" makes symlinks of the certs in
/usr/local/etc/ssl/certs into /etc/ssl/certs.