Yes, you are right but I don't understand why bullseye certificates have not been updated, security updates are supposed to be being handled by the LTS team and surely certificates are part of security, from their end its a very easy update.I believe bookworm's ca-certificates package is still being updated. The current version in bookworm is 20230311+deb12u1 which was last updated in June this year to add two Sectigo root certificates.
I've just spent a frustrating hour trying to add a certificate bundle but linux does not like certificate files with more than one certificate in them, I've no idea why I persisted.
Anyway, I have now figured an easy and safe way to do this, I need to copy the /usr/share/ca-certificates/mozilla/* files from bookworm or trixie to say /usr/share/ca-certificates/mynewmozilla/* on bullseye and then update ca-certificates. That way if an apt update brings newer certificates or revocations they will override my changes.
Statistics: Posted by pidd — Fri Oct 31, 2025 6:56 am