The attached patch series 1) adds a (private) python script to extract single certificates in .pem format from a big textfile in mozilla source format; 2) adds the package nss-certs, which contains the certificates thus extracted in OUT/etc/ssl/certs, preprocessed with c_rehash for use with openssl; 3) adds "etc/ssl/certs" as a native-search-path for SSL_CERT_DIR to openssl.
So if you do a guix package -i openssl nss-certs youtube-dl and add SSL_CERT_DIR as stipulated by the text output after the installation, things work out of the box. The search path definition means that we could have alternative root certificate packages (potentially one per certification authority) and that the user could install the ones he trusts. The patches currently are in a branch wip-certs. Suggestions are welcome. Andreas
