Thanks for that Stuart. yeah Ill back it up going forward and concatenate the local ca in afterwards
much obliged, Tom Smyth On Thu, 7 May 2026 at 12:06, Stuart Henderson <[email protected]> wrote: > On 2026-05-06, Tom Smyth <[email protected]> wrote: > > is there a more elegant way of adding private trusted cas to openBSD... > > not at present. > > > is there a > > > > I used to simply > > cat ca-chainfil.pem >> /etc/ssl/cert.pem > > > > > > > > > > in the past (distant past) modifying that cert.pem I had encountered > issues > > with upgrades > > sysmerge should do it, but the sdiff(1) UI isn't super-clean for this. > > > is there a simple way to do /etc/ssl/cert.pem.local > > i.e. > > > > cat ca-chainfil.pem >> /etc/ssl/cert.pem.local > > > > any thoughts ? advice welcome > > I think the best simple way to handle this would be if we include a > second copy of cert.pem in baseXX.tgz (e.g. in /etc/examples), so that > it's extracted directly, rather than etc.tgz/sysmerge. If we did that, > you'd be able to do this in /upgrade.site: > > cd /etc/ssl && cat /etc/examples/cert.pem cert.local > cert.new && > mv cert.new cert.pem > > While there are some other possible reasons to modify cert.pem (i.e. > untrusting certain CAs), adding a local one has to be by far the most > common. > > > -- Kindest regards, Tom Smyth.
