I just happened to look in my .nix-profile/etc/ssl/certs/ca-bundle.crt and found a very large number of certificate authorities.
How does this get set? I have never even heard of some of the CAs. Why do we have all those CAs?
They’re defined here: nixpkgs/ca.nix at 733682c32929293341f113f297b64ea6319e9089 · NixOS/nixpkgs · GitHub, the default ones come from cacert, which in turn is a packaged version of mozilla’s, see here: curl - Extract CA Certs from Mozilla.
You can blacklist those you don’t trust with security.pki.caCertificateBlacklist.
We have all those CAs because they’re the basic foundation of public key encryption with central authorities. Yes, the system is broken.
1 Like