Need better support for adding site-local certificates

Binary package hint: ca-certificates

A wishlist item for ca-certificates 20080514-0ubuntu1 in intrepid:

I'm putting together a system image for a small corporate site. I am placing files under /usr/local/, and occasionally symlinking these into /etc, /usr, etc. as necessary (as opposed to assembling custom packages in a custom repository; this would be overkill for the site in question). This way, there is a clear distinction between files under the control of the package manager, and local files that aren't.

I want to add a couple of site-specific certificates to the set used by ca-certificates. My first approach was to symlink the subdirectory:

    /usr/share/ca-certificates/smallcorp -> /usr/local/share/ca-certificates/smallcorp/

This didn't work; "dpkg-reconfigure ca-certificates" would not show the new certs in the multiselect list. So I tried creating the subdirectory in /usr, and symlinking the individual .crt files:

    /usr/share/ca-certificates/smallcorp/
    /usr/share/ca-certificates/smallcorp/SmallCorp_Root_CA.crt -> /usr/local/share/ca-certificates/smallcorp/SmallCorp_Root_CA.crt

Again, no go. The only way that debconf would see the new certs was to copy them in as regular files, into a regular subdirectory under /usr.

I would like to see a tweak in how this package finds certificates, to allow adding new ones without polluting /usr with non-dpkg-managed files. A couple of approaches come to mind:

1. Scan /usr/local/share/ca-certificates/ in addition to /usr/share/ca-certificates/.

2. Follow symlinks in /usr/share/ca-certificates/.

I prefer #1, as it is cleaner, and doesn't raise tricky questions of dangling/cyclic symlinks.