Current state

Historically, on Linux trusted certificates management has been terrible. Different libraries use different sources for trusted certificates, which is weird and inconsistent. Also, there are configurability and portability issues.

Issues

• Inconsistency across libraries
• User configuration: users cannot easily specify which certificates they want to trust
• Distro-specific CA paths: portability across distros is poor as paths may differ, which is a huge pain for people using Nix as their package manager on other distros
• Bundling: to bundle certificates with your application (e.g. in flatpak) you need to recompile the crypto lib and everything that depends on it (which is a lot)

Runtime configuration

NixOS/Nixpkgs attempts to solve this by patching libraries to support reading the path to the CA bundle from an environment variable. This approach actually solves all of the issues above (except for the inconsistency, unless applied to all existing crypto libraries).

• openssl: looks for the NIX_SSL_CERT_FILE variable
• gnutls: unmerged PR (suggested to send upstream; not yet sent, AFAIU), new PR
• ??

There was a discussion on the gnutls mailing list where one of Guix developers proposed such a patch. Although not rejecting the idea, upstream suggested looking at p11-kit instead, so the question now is whether it will help us.

p11-glue

A set of standards and tools for coordinating the use of PKCS#11 (whatever this means) by applications or libraries. Most importantly, they make p11-kit, which contains the Trust Policy Module, i.e. a library for discovering things like trusted certificates and blacklists.

• Website
• p11-kit docs

Support in other crypto libraries

• openssl: ??
• gnutls: has a module that allows it to use p11-kit as a trust store.