Speaking of things about SSL that I am tired of forgetting: Programs that use OpenSSL libraries (including the OpenSSL command-line tools) can sometimes need handholding in order to find their certificate authority root certificates. For example, here’s me trying to verify that a newly deployed certificate is valid: $ openssl s_client -connect ${HOSTNAME}:443 </dev/null CONNECTED(00000003) depth=1 /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3 verify error:num=20:unable to get local issuer certificate verify return:0 What you say? …