PS on a related note I've been poring over all of the comments in these closed threads
And a couple of q's -
- I'd been considering grabbing certificates.txt from a newer distro - why does this also require building 1.0.2?
- the advice below seems to also apply to Centos6 - at least I do have an update-ca-trust program which knows about that directory . I have the cert, in BEGIN/END form, which I can also convert to the longer format beginning wtih "Certificate" (not sure on the nomenclature)
What sort of format does it need to be in, for the blacklist directory?
Put the expired CA certificate(s) in /etc/pki/ca-trust/source/blacklist/ , and invoke update-ca-trust(8) to rebuild the trust store. Verify with trust list .