Turns out we don't really have the resources or power to fully curate
our own CA store. So I removed the wording that implied we did, and while I was at it gave the README a spruce up.
Also, instead of relying on /etc/ssl/certs, we now pull the ca bundle directly from the debian source tree.
We do this by fetching the git source of ca-certificates as a submodule, verifying the
latest git tag, then building the trusted PEM list from Mozilla's store.
I also updated to BouncyCastle 147 to correspond with changes to NetCipher that I'll be pushing.
Turns out we don't really have the resources or power to fully curate our own CA store. So I removed the wording that implied we did, and while I was at it gave the README a spruce up.
Also, instead of relying on /etc/ssl/certs, we now pull the ca bundle directly from the debian source tree.
We do this by fetching the git source of ca-certificates as a submodule, verifying the latest git tag, then building the trusted PEM list from Mozilla's store.
I also updated to BouncyCastle 147 to correspond with changes to NetCipher that I'll be pushing.