splitting ca_root_nss into component pem files

[Dan Mahoney (Gushi)]

Allan (and all),

I notice FreeBSD now comes with certctl which knows how to split and 
manage trusted SSL certs.  FreeBSD 12.2 includes a /usr/share/ssl/certs 
directory now (no mention of that in the release notes?) and a tool called 
certctl.

Certctl has (for some reason) been backported to 11.x, where there are no 
individual certs provided by default, so I'm confused as to why this is.

ca_root_nss only provides a monolithic cert.

Some apps require a directory of hashes and symlinks.  This is common, 
especially when you want to trust your local CA as well as the netscape 
ones.  Additionally, some tools (like sendmail) seem to require the 
symlinked approach.

Is there a tool (installed with base, or from ports) that will do this 
splitting of ca_root_nss, to some standard directory?  (certctl doesn't 
appear to).

Should this not be a standard thing in the pkg-message for ca_root_nss?

(This seems to be a tangly problem to google).

Note I solved this myself a few years back: 
https://gushi.dreamwidth.org/1064679.html, but I'd like to have a "right" 
answer.

But...this feels like something that should have a base tool AND be in the 
handbook, since the *removal* of a cert from ca_root_nss will cause users 
to still trust it -- a clean rebuild should be possible.

-Dan

-- 

--------Dan Mahoney--------
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
FB:  fb.com/DanielMahoneyIV
LI:   linkedin.com/in/gushi
Site:  http://www.gushi.org
---------------------------