BEFORE you get rid of the ancien trust-store, keep using it to grab the new one through HTTPS
grab the latest certificate bundle and check it fingerpring
cd /etc/ssl/ wget https://curl.se/ca/cacert.pem wget https://curl.se/ca/cacert.pem.sha256 # --no-check-certificate sha256sum cacert.pem #shasum -a 256 cacert.pem cat cacert.pem.sha256 # Thu Sep 30 03:12:05 2021 GMT f524fc21859b776e18df01a87880efa198112214e13494275dbcbd9bcb71d976
THEN get rid of the ancien trust-store
# Ubuntu #dpkg-reconfigure ca-certificates #update-ca-certificates apt purge ca-certificates # Slackware #ls -lF /var/lib/pkgtools/packages/ca-certificates-* #update-ca-certificates removepkg ca-certificates cd /etc/ssl/ rm -rf certs/ rm -rf private/ diff -bu /usr/lib/ssl/openssl.cnf /etc/ssl/openssl.cnf diff -bu /etc/ssl/openssl.cnf.dist /etc/ssl/openssl.cnf
tune some clients accordingly
mv -i /etc/wgetrc /etc/wgetrc.dist grep -vE '^[[:space:]]*(;|#|$)' /etc/wgetrc.dist > /etc/wgetrc vi /etc/wgetrc ca_certificate = /etc/ssl/cacert.pem
there is no system-wide config for Curl
vi ~/.curlrc cacert /etc/ssl/cacert.pem
–OR–
vi ~/.profile export CURL_CA_BUNDLE=/etc/ssl/cacert.pem
to check remote certificates, some application or daemon need hashed symlinks to single PEM file certificates (not bundled)
assuming the daemon is not in a chroot
$OPENSSL_HOME/bin/c_rehash /etc/ssl/certs
now for GIT
vi ~/.gitconfig
[http]
sslCAinfo = /etc/ssl/cacert.pem
and enable your own customized new defaults for some other clients
mkdir certs/ cd certs/ ln -s ../cacert.pem ca-certificates.crt
https://docs.bolt.cm/4.0/howto/curl-ca-certificates
https://docs.boltcms.io/5.0/howto/curl-ca-certificates
https://gist.github.com/olih/a50ce2181a657eefb041
https://stackoverflow.com/questions/9879688/difference-between-cacert-and-capath-in-curl