Should Homebrew tools use system certificates from /usr/local/share/ca-certificates?

[ypfaff]

Additional Info

• I am using Windows Subsystem for Linux

Output of brew config

HOMEBREW_VERSION: 4.5.13
ORIGIN: https://github.com/Homebrew/brew
HEAD: 4d14be89e99a45181c18e96a5f19a5b43343cc0f
Last commit: 5 days ago
Branch: stable
Core tap JSON: 30 Jul 05:53 UTC
HOMEBREW_PREFIX: /home/linuxbrew/.linuxbrew
HOMEBREW_CASK_OPTS: []
HOMEBREW_DISPLAY: :0
HOMEBREW_MAKE_JOBS: 8
Homebrew Ruby: 3.4.5 => /home/linuxbrew/.linuxbrew/Homebrew/Library/Homebrew/vendor/portable-ruby/3.4.5/bin/ruby
CPU: octa-core 64-bit zen3
Clang: N/A
Git: 2.50.1 => /home/linuxbrew/.linuxbrew/bin/git
Curl: 8.5.0 => /bin/curl
Kernel: Linux 6.6.87.2-microsoft-standard-WSL2 x86_64 GNU/Linux
OS: Ubuntu 24.04.2 LTS (noble)
WSL: 2 (Microsoft Store)
Host glibc: 2.39
/usr/bin/gcc: 13.3.0
/usr/bin/ruby: N/A
glibc: N/A
gcc@11: N/A
gcc: 15.1.0
xorg: N/A

Output of brew doctor

Warning: Some installed formulae are deprecated or disabled.
You should find replacements for the following formulae:
  terraform

Warning: The following formulae have the same name as core formulae:
  hashicorp/tap/consul-template
  hashicorp/tap/levant
  hashicorp/tap/nomad
  hashicorp/tap/packer
  hashicorp/tap/terraform
  hashicorp/tap/terraform-ls
  hashicorp/tap/vault
  hashicorp/tap/waypoint
Their taps are in use, so you must use these full names throughout Homebrew.

Description of issue

Background

I'm working in a corporate environment where we need to install custom CA certificates (for proxy servers, internal CAs, etc.) to access company resources. We install these certificates to the system certificate store using the standard Ubuntu approach:

1. Place .crt files in /usr/local/share/ca-certificates/
2. Run sudo update-ca-certificates to update /etc/ssl/certs/ca-certificates.crt

Issue

While system tools (e.g. wget from apt) correctly use these certificates, Homebrew-installed tools apparently ignore them. Tools installed via Homebrew fail with SSL certificate verification errors when accessing corporate resources.

Current Workaround

Based on the OpenSSL@3 formula documentation, we're manually copying certificates to Homebrew's OpenSSL directory:

cp /usr/local/share/ca-certificates/*.crt "$(brew --prefix)/etc/openssl@3/certs/"
"$(brew --prefix)/opt/openssl@3/bin/c_rehash" "$(brew --prefix)/etc/openssl@3/certs/"

This works, but requires manual intervention every time certificates are updated.

Questions

1. Is this the intended behavior? Should Homebrew tools deliberately ignore system certificates from /usr/local/share/ca-certificates/?
2. What's the design rationale? Why doesn't Homebrew's OpenSSL use the system certificate bundle that other tools rely on?
3. Is manual copying the recommended approach? Or is there a more elegant way to make Homebrew tools respect system certificates?
4. Should this be documented more prominently? This seems like a common issue in corporate environments, but it's not obvious from the main Homebrew documentation.

[p-linnane]

1. Yes, it is the intended behavior. We use the latest Mozilla CA certificate store (2025-07-15 as of this post).
2. We use a cert store that we know is good, and is regularly updated and verified in our CI.
3. No, that's about it. How often are you adding and updating certificates locally? I would think this is a fairly infrequent process.
4. Feel free to open a documentation PR in Homebrew/brew and we'll review it.

[carlocab]

Well, to be fair, we do bootstrap the certificates from ca-certificates using the system Keychain on macOS: https://github.com/Homebrew/homebrew-core/blob/904a0ea38ba83369b8288685bbb9c7f205d30dc6/Formula/c/ca-certificates.rb#L29-L121

This is possible to do on macOS because we know there is already a /usr/bin/openssl available. It's not as straightforward to portably on Linux. openssl@3 depends on ca-certificates, so we can't use the openssl binary from openssl@3 in ca-certificates.

However, if there were a sensible and portable way to bootstrap the certificate store using the system provided one on Linux, then we would probably review a PR that implements it.

[carlocab]

Current Workaround

Based on the OpenSSL@3 formula documentation, we're manually copying certificates to Homebrew's OpenSSL directory:

cp /usr/local/share/ca-certificates/*.crt "$(brew --prefix)/etc/openssl@3/certs/"
"$(brew --prefix)/opt/openssl@3/bin/c_rehash" "$(brew --prefix)/etc/openssl@3/certs/"

If the actual .crt filenames don't change, and only their contents change, then it might suffice to just symlink them with

ln -sf /usr/local/share/ca-certificates/*.crt "$(brew --prefix)/etc/openssl@3/certs/"

That might make openssl@3 automatically pick up any certificate changes? Unsure, but seems worth a try.

[ypfaff]

Thank you both for the quick and straightforward responses! @p-linnane @carlocab

I noticed that in the description of the openssl@3 formula at https://formulae.brew.sh/formula/openssl@3, it says:

“A CA file has been bootstrapped using certificates from the system keychain.”

As I understand it, this bootstrapping does not actually happen during the installation of openssl@3, but rather in the ca-certificates formula, as @carlocab linked. Do you see any objection to moving this note to the ca-certificates formula documentation instead? And explicitly stating that system CA certificates are only added to the CA file on macOS?

For the Linux scenario (missing system openssl binary), one could conditionally copy or symlink the system certificates into the Homebrew CA store if an openssl binary is present. However, I’m concerned this might introduce inconsistencies. Would you find it helpful to accompany such a step with a clear log output to ensure transparency about the approach?

[carlocab]

I noticed that in the description of the openssl@3 formula at formulae.brew.sh/formula/openssl@3, it says:

“A CA file has been bootstrapped using certificates from the system keychain.”

As I understand it, this bootstrapping does not actually happen during the installation of openssl@3, but rather in the ca-certificates formula, as @carlocab linked. Do you see any objection to moving this note to the ca-certificates formula documentation instead? And explicitly stating that system CA certificates are only added to the CA file on macOS?

Yes, those caveats come from a time before we had a ca-certificates formula and created a certificate bundle that combines the system CA bundle with the one that comes with OpenSSL (which I think also comes from Mozilla's CA store).

So that message is now stale, and it would be appropriate to move it to the ca-certificates formula, and it would be more accurate to print the message only on macOS.

For the Linux scenario (missing system openssl binary), one could conditionally copy or symlink the system certificates into the Homebrew CA store if an openssl binary is present. However, I’m concerned this might introduce inconsistencies. Would you find it helpful to accompany such a step with a clear log output to ensure transparency about the approach?

It's difficult to comment without actually seeing the code so we have a fuller understanding of what this means and what the consequences are. Please feel free to open a PR and we can discuss it. I can't promise that it will be merged, but I can promise to give it a sincere review.

[ypfaff]

Hi @carlocab,

I completely understand that it's difficult to discuss implementation details without seeing the actual code. Following your suggestion, I've implemented the Linux custom certificate integration feature.

You can find the full implementation in this PR: Homebrew/homebrew-core#232226

Looking forward to your review and feedback!