SSL Certificates in base

Kyle Evans kevans at
Wed Feb 24 13:53:40 UTC 2021

On Wed, Feb 24, 2021 at 2:58 AM Andrea Venturoli <ml at> wrote:
> Hello again.
> Sorry if this a dumb question or FAQ: I tried, but failed to find any
> official documentation on this.
> In the past, I've always installed security/ca_root_nss to let SSL work,
> as there were no CA certificates in base.
> 12.2 (and possibly older 12.x, I don't know) already provide several
> certificates in /usr/share/certs/trusted.

12.2 is indeed the first here, though 11.4 has the infrastructure for it.

> How are we expected to deal with this?
> Is security/ca_root_nss still needed/suggested?
> Is it expected to be obsoleted (although easier to update)?

For most people, stuff 'just works'. If you need to add your own roots
to the trust store, then security/ca_root_nss may (will?) be a
problem. Too much stuff has a hard dependency on it, so I have a side
branch to add a USES=caroot and remove that dependency on FreeBSD
versions that can do so.

> What's the correct procedure to add additional certificates?
> I guess just dropping them in /usr/share/certs/trusted won't be enough...

The current model (which is, IMO, still a little wrong path-wise) is
that you should add your own to /usr/local/share/certs then execute
`certctl rehash`. The exact path is going to change and that one
specifically will be phased out in favor of mirroring the base
hierarchy as we should have done, but we'll make sure those changes
are communicated properly.


Kyle Evans

More information about the freebsd-questions mailing list