Add WNTRMUTE issuing CA to system trust store

All NixOS machines now trust the Metacircular platform CA. This allows curl, browsers, and Go services to verify TLS certificates issued by Metacrypt without --insecure or custom CA flags. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-25 19:30:24 -07:00
parent 73be02eaae
commit 87be4e34d3
2 changed files with 21 additions and 0 deletions
--- a/certs/wntrmute-ca.pem
+++ b/certs/wntrmute-ca.pem
@@ -0,0 +1,18 @@
 -----BEGIN CERTIFICATE-----
 MIIC6zCCAkygAwIBAgIUTh42D9w7YT5e/Nz+42m32ZyHNvEwCgYIKoZIzj0EAwQw
 gY0xCzAJBgNVBAYTAlVTMQkwBwYDVQQIEwAxCTAHBgNVBAcTADEiMCAGA1UEChMZ
 V05UUk1VVEUgSGVhdnkgSW5kdXN0cmllczEfMB0GA1UECxMWQ3J5cHRvZ3JhcGhp
 YyBTZXJ2aWNlczEjMCEGA1UEAxMaV05UUk1VVEUgSXNzdWluZyBBdXRob3JpdHkw
 HhcNMjYwMzExMjMxOTE0WhcNNDYwMzA3MDAxOTE0WjCBjTELMAkGA1UEBhMCVVMx
 CTAHBgNVBAgTADEJMAcGA1UEBxMAMSIwIAYDVQQKExlXTlRSTVVURSBIZWF2eSBJ
 bmR1c3RyaWVzMR8wHQYDVQQLExZDcnlwdG9ncmFwaGljIFNlcnZpY2VzMSMwIQYD
 VQQDExpXTlRSTVVURSBJc3N1aW5nIEF1dGhvcml0eTCBmzAQBgcqhkjOPQIBBgUr
 gQQAIwOBhgAEAewp0TVimwwnBnXWWYBoBNCmP73xPii58M/wWdwxY0myv2IHXiXB
 /ip4Q25dMYhFyoCMq0g5VkRl5Y18OHfxLxrdARHE/tVlvnqzNH+sG0sm53NPRIeY
 Eo0xbF546rv+/huC39SMrkZsrGmW3qiXOScX8LIQucvyJYcn2smqL2Gv8LzPo0Uw
 QzAOBgNVHQ8BAf8EBAMCAgQwEgYDVR0TAQH/BAgwBgEB/wIBAjAdBgNVHQ4EFgQU
 RVqxahQ8/leaLJjewC/xcoLJbTwwCgYIKoZIzj0EAwQDgYwAMIGIAkIA/6VhQ1/o
 yZ+JNLxXHhhvUMiv/05Man3wM9Bn/dTUC0KamJo0K1AwtWQoYU69vxs8nj4xH4+A
 oyATEqNB97byr74CQgC9sZfPWqDlFLqGO6dNEQqOF/54ya64fKQdSwNL4UzZTW8U
 215hy6CercFpR9AzFBcCAonBY5fIJvlu64SUWXlStg==
 -----END CERTIFICATE-----
--- a/configuration.nix
+++ b/configuration.nix
@@ -136,6 +136,9 @@
  };
  programs.ssh.askPassword =  "ksshaskpass";
  # Trust the WNTRMUTE issuing CA for all Metacircular services.
  security.pki.certificateFiles = [ ./certs/wntrmute-ca.pem ];
  nix.settings.experimental-features = [ "nix-command" "flakes" ];
  nix.settings.trusted-users = ["kyle"];