On 1/20/23 12:17, Hajimu UMEMOTO wrote:
You can put your private CAs into /usr/local/etc/ssl/certs.
Well, I never thought of this.
I always put them in /etc/ssl/certs.
Running "certctl rehash" makes symlinks of the certs in
/usr/local/etc/ssl/certs into /etc/ssl/certs.
In the end, however, the result is the same: I have my certs hashed in
/etc/ssl/certs, but some software will use them, some other software
uses/prefers some different store (I counted at least 5).
I understand it's mostly a matter of fixing (?) those softwares, but it
would help if:
_ there was a clear policy that proper certs are those in /etc/ssl/certs
(or whatever else);
_ there wasn't a widely required port (ca_root_nss) that installs two
additional stores side by side with the "official" (?) one.
bye
av.
