On Fri, 2026-05-08 at 13:37 -0400, Daniel Jakots wrote: > On Wed, 6 May 2026 17:35:08 +0100, Tom Smyth > <[email protected]> wrote: > > > Folks, > > is there a more elegant way of adding private trusted cas to > > openBSD... > > Out of curiosity, what's your use-case for the private CAs? > > I have a private CA to use mtls on some services. I just configure the > relevant software to use specifically that CA. For instance with > redis: > > $ grep ^tls /etc/redis/redis.conf > [...] > tls-cert-file /etc/ssl/chownme.crt > tls-key-file /etc/ssl/redis-chownme.key > tls-ca-cert-file /etc/ssl/chownme-cacert.pem > > Cheers, > Daniel >
I'm also interested in a more convenient way of handling additional certificate authorities as I use a custom CA to issue certificates to other machines on the local network. My CA's cert needs to be included in every connecting client's cert.pem, otherwise you obviously get an error when connecting to websites or web services. Would it make sense to have cert.base.pem instead of cert.pem and folder /etc/ssl/ssl.d where you would store all the other trusted CAs? Then you would run a utility "newcerts" (akin to newaliases) that creates cert.pem which is an amalgamation of system provided certificates plus everything in folder ssl.d. Stuart mentioned that you also might not want trust some existing authorities. I guess that would require the main file to be split into separate certificates so that when you run newcerts it would ignore those the administrator listed in a blacklist file or something of the similar nature.
