Re: Can security/ca_root_nss be retired?

From: Andrea Venturoli <>
Date: Fri, 20 Jan 2023 11:41:53 UTC
On 1/20/23 12:17, Hajimu UMEMOTO wrote:

> You can put your private CAs into /usr/local/etc/ssl/certs.

Well, I never thought of this.
I always put them in /etc/ssl/certs.

> Running "certctl rehash" makes symlinks of the certs in
> /usr/local/etc/ssl/certs into /etc/ssl/certs.

In the end, however, the result is the same: I have my certs hashed in 
/etc/ssl/certs, but some software will use them, some other software 
uses/prefers some different store (I counted at least 5).

I understand it's mostly a matter of fixing (?) those softwares, but it 
would help if:
_ there was a clear policy that proper certs are those in /etc/ssl/certs 
(or whatever else);
_ there wasn't a widely required port (ca_root_nss) that installs two 
additional stores side by side with the "official" (?) one.