> Is there a place to put them that is automatically read in addition to > cert.pem?
There is also the question of removing some of them and keeping these removed between updates, e.g. a domain plundering hosting company that is not trust worthy. One thing that comes to mind is the recent sed -i addition.
