caroot: regenerate the root bundle with OpenSSL 3

No functional change intended.

Approved by: re (kib)

(cherry picked from commit 8ed0ecf8024d10e9cd21f5880723a6cec4fd4ae6)

caroot: drop the VERSION tag from already-processed certs

An update is imminent; drop these now to make it easier to audit the
results.

Approved by: re (kib)

(cherry picked from commit 3f84d4b0fe1

caroot: drop the VERSION tag from already-processed certs

An update is imminent; drop these now to make it easier to audit the
results.

Approved by: re (kib)

(cherry picked from commit 3f84d4b0fe1445bca5f3b6a70fc5641b88c31217)

show more ...

caroot: reroll the remaining certs

This adds a specific note that these are explicitly trusted for
server auth.

MFC after: 3 days

caroot: drop $FreeBSD$ expansion from root bundle

This debatably could have waited until the next update would have taken
place, but it's easier to see what changes if we get it out of the way
now.

caroot: drop $FreeBSD$ expansion from root bundle

This debatably could have waited until the next update would have taken
place, but it's easier to see what changes if we get it out of the way
now.

MFC after: 3 days

show more ...

caroot: commit initial bundle

Interested users can blacklist any/all of these with certctl(8), examples:

- mv /usr/share/certs/trusted/... /usr/share/certs/blacklisted/...; \
certctl rehash
- c

caroot: commit initial bundle

Interested users can blacklist any/all of these with certctl(8), examples:

- mv /usr/share/certs/trusted/... /usr/share/certs/blacklisted/...; \
certctl rehash
- certctl blacklist /usr/share/certs/trusted/*; \
certctl rehash

Certs can be easily examined after installation with `certctl list`, and
certctl blacklist will accept the hashed filename as output by list or as
seen in /etc/ssl/certs

No objection from: secteam
Relnotes: Definite maybe

show more ...