8.14.1. ca-certificates 2026-03-19
Install a Mozilla-derived CA certificate bundle for TLS clients in the final target environment.
Input assumption: cacert-2026-03-19.pem is already present in /sources from the chapter 4 source staging step.
Source URL: https://curl.se/ca/cacert-2026-03-19.pem
Source note: curl's CA extract page publishes PEM bundles generated from Mozilla's root certificate store. The matching upstream SHA-256 sidecar for this file is b6e66569cc3d438dd5abe514d0df50005d570bfc96c14dca8f768d020cb96171.
Licenses:
- MPL-2.0
Dependencies:
- LibreSSL
ca-certificates is a bundle of public CA root certificates extracted from Mozilla's root store. we need it to let TLS clients such as curl, Cargo, and Python verify HTTPS servers in the final target environment.
Install ca-certificates
LibreSSL was configured with /system/configuration/ssl as its OpenSSL directory, and curl was configured to use /system/configuration/ssl/cert.pem as its CA bundle. Install the bundle there and add common compatibility names for tools that probe the traditional /etc/ssl/certs paths.
install -Dm644 /sources/cacert-2026-03-19.pem \
/system/configuration/ssl/cert.pem
mkdir -p /system/configuration/ssl/certs
ln -sf ../cert.pem /system/configuration/ssl/certs/ca-certificates.crt
ln -sf ../cert.pem /system/configuration/ssl/certs/ca-bundle.crt
Add TLS Environment Defaults
These defaults make Cargo and other OpenSSL-using tools prefer the installed bundle even when their built-in certificate path probe does not know this system's layout.
grep -q '^export SSL_CERT_FILE=/system/configuration/ssl/cert.pem$' \
/system/configuration/profile || \
printf '%s\n' \
'export SSL_CERT_FILE=/system/configuration/ssl/cert.pem' \
>> /system/configuration/profile
grep -q '^export CARGO_HTTP_CAINFO=/system/configuration/ssl/cert.pem$' \
/system/configuration/profile || \
printf '%s\n' \
'export CARGO_HTTP_CAINFO=/system/configuration/ssl/cert.pem' \
>> /system/configuration/profile
export SSL_CERT_FILE=/system/configuration/ssl/cert.pem
export CARGO_HTTP_CAINFO=/system/configuration/ssl/cert.pem
Verify ca-certificates
test -s /system/configuration/ssl/cert.pem
openssl verify -CAfile /system/configuration/ssl/cert.pem \
/system/configuration/ssl/cert.pem >/dev/null
Command Explanations
install -Dm644 /sources/cacert-...pem: Installs the CA bundle and creates its parent directory.mkdir -p /system/configuration/ssl/certs: Creates the certificate-directory compatibility location.ln -sf ../cert.pem ...: Provides common CA bundle filenames used by TLS clients.grep -q ... || printf ... >> /system/configuration/profile: Adds certificate environment variables only if they are not already present.SSL_CERT_FILEandCARGO_HTTP_CAINFO: Point OpenSSL-compatible tools and Cargo at the installed CA bundle.test -s ...: Verifies that the installed bundle exists and is not empty.openssl verify -CAfile ...: Performs a basic verification check against the installed bundle.