From: Sebastien Marie Subject: Re: /etc/ssl/cert.pem : concatenate system and local files To: Lloyd Cc: tech@openbsd.org Date: Fri, 22 May 2026 22:07:58 +0200 Lloyd writes: > I like this idea but I think the diff is broken. > > Initial comments: > > 1. mktemp fails - shouldn't it be -p not -t? right. > 2. the generated cert.pem has permissions 0600 root:wheel in my > testing, it needs to be world-readable, should it be 0444 root:bin? right too. > 3. I would think cert.local.pem should have 0644 perms it isn't a problem in the diff. it only looks the file is readable. > 4. With this tucked away into /etc/rc, what is the official update > procedure to regenerate cert.pem when adding a certificate? > > 5. where in the man pages do we note the existence of cert.local.pem? nowhere at this stage. the diff is more a proof-of-concept asking for comments than something to be commited as it. Thanks for your comments. -- Sebastien Marie