By "Linux" it really means any SSL lib that just uses system's "a dir with a bunch of CAs" approach.
That approach is nice for ops (don't have to worry about commands to add/remove certs, just drop files into dir) and relatively performant (just one read on cert's fingerprint file name in modern distros).
I think simplest one would be just adding meta file with a bunch of conditions ?
While we're at it, allow the certs to be imported only for certain domain, so ops can, for example, import internal CA of their partner but limit it to only partner's domains
I hate to say it but... I want a systemd-certd that TLS libraries can call into saying 'verify this please' and then the logic for verifying trust path, validity, revocation status etc can be done in one place, consistently and correctly.
That approach is nice for ops (don't have to worry about commands to add/remove certs, just drop files into dir) and relatively performant (just one read on cert's fingerprint file name in modern distros).
I think simplest one would be just adding meta file with a bunch of conditions ?
While we're at it, allow the certs to be imported only for certain domain, so ops can, for example, import internal CA of their partner but limit it to only partner's domains