Adding a new CA certificate to included bundle

Hello all.

I am using Nix on my work computer (macOS, single-user installation). My work has their own custom CA for MITM interception. I’ve had a lot of certificate difficulties because of this, but what I’ve found that works is simply appending my work’s certificate onto the included CA bundle that Nix provides.

This feels a bit hacky and not very “Nix-ish”. I’m curious if there is a way to specify to Nix a list of custom CA certificates that should be included alongside the default bundle from nixpkgs.cacert.

I have read through "SSL peer certificate or SSH remote key was not OK" error on fresh Nix install on macOS - #14 by duff and I tried setting NIX_SSL_CERT_FILE to the certificate bundle included on my system (/etc/ssl/cert.pem) which does include my work’s custom CA file, but that caused the dreaded “SSL peer certificate or SSH remote key was not OK” error message, presumably because my system’s default CA bundle is missing some other certificates that the nixpkgs.cacert package provides. So the best solution would be to simply append my work’s CA file onto that.


Are you looking for security.pki.certificateFiles?

That is only a NixOS configuration option, no? I am using Nix on macOS.

Ah, I see, looks like I skimmed past that, sorry!