System: Trust: Authorities - cleanup openssl trust store

[AdSchellevis]

Important notices

Before you add a new report, we ask you kindly to acknowledge the following:

• [x] I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md
• [x] I am convinced that my issue is new after having checked both open and closed issues at https://github.com/opnsense/core/issues?q=is%3Aissue

Describe the bug

Currently we flush a combined certificate store to the following locations:

• /etc/ssl/cert.pem
• /usr/local/etc/ssl/cert.pem
• /usr/local/openssl/cert.pem

But in our code when we need a combined store (in cases where openssl doesn't use the regular hashes), we only use /etc/ssl/cert.pem. as we expect the trust store to use the files certctl created, I would like to suggest to only write the combined store to a location not being used by default and cleanup the callers on our end.

This would mean we forcefully remove /etc/ssl/cert.pem and /usr/local/openssl/cert.pem when they exist and replace our references to /etc/ssl/cert.pem with /usr/local/etc/ssl/cert.pem.

Since we force all files to be in sync at the moment, there is no immediate issue, but for transparency it would help if our trust store would be a well defined singular container.

To Reproduce

truss /usr/local/bin/openssl s_client -servername my.domain.to.check -connect my.domain.to.check:443 < /dev/null

(or openssl for the base version)

and inspect the output, the associated hash in the certs directory won't be used in this case.

Expected behavior

use the rehash output of certctl

Describe alternatives you considered

Keep as is, with the downsides of having multiple copies.

Environment

Software version used and hardware type if relevant, e.g.:

OPNsense 24.7.x (amd64).

[AdSchellevis]

https://github.com/opnsense/core/commit/913a5caae3

[fichtner]

Looks like this is done, but certainly great that this was easily agreed upon :)

[fichtner]

(the cool kids call it "independently verified")