With the coming of 7.19 we’ve now been exposed to “Built-in root certificate authorities” which sounds like a really good thing.
Long ago when I started messing with DoH and various other things I followed A Guide to import the CAs curl uses. Worked great then, works great now!
However, as my setup matures and my knowledge increases I’m revisiting everything to better understand what’s already in-built, maybe relieving some maintenance burden and improving functionality / security.
My questions:
What certs are trusted by default in ROS, that I can take advantage of simply by checking “Trust Built In Anchors” — and ideally, how can I find that out for myself? I don’t see anything new in System > Certificates
Same thing, but for CRL — and in particular, what messages might I see in the logs if a connection to a host is refused due to failure to verify the cert due to the CRL?
Overall here, my goal is to remove as much “custom” configuration support as possible. But in the end if I have to maintain my own cert list it’s not a big deal — I will just schedule a script once a month to replace / update the lists on my own and ignore the built-in trusts.
But this is such a cool feature to have in-built it seems a shame not to be able to utilize it more fully.