Where to acquire and how to install latest CA-Cerficicates?

Can someone explain to me where to acquire the latest CA-Certificates file and how to install them in opensuse?

I have used YaST and searched for Certificates and selected all the ones that looked like what I needed and it said the installation was successful but, not sure the ones on the repository are are the most current.

How can I verify that the certificates are installed correctly? ( e.g. is there an openssh command that can do the verification?)

Is there a way to verify that the installed certificates are the most current?

I am trying to run msmtp with TLS and I am getting errors saying the fingerprints do not match. It was suggested that I configure a google admin account to perhaps fix this problem. AFAIK, one has to create an admin account with $s and specify a domain (which I have but don’t want to use in this application) in order to successfuly handshake with msmtp.
I used a similar program (ssmtp) with TLS on and had no issues. Advice much appreciated.


Certificates of Authority (CA) exist for many purposes.

You need to specify what you wish to do to determine the CAs for that purpose.

For instance Web browsers are pre-installed with CAs to trust websites.
Web browser companies charge the CAs enormous sums of money to be included in this default list, this is why this embedded list is updated very infrequently.

Let’s say for instance that you have set up your own CA which of course isn’t on the browser’s list (and you’re not likely willing to pay the millions of dollars to be included). You can either make a deal with one of the CAs already on the list to be an Intermediate CA included in that CA’s chain of trust or Users can manually add your CA (which is probably beyond the technical comprehension of most Users).

The above is also true of many community CAs who don’t have the budget to be automatically verified one way or another, and usually have to be added manually.

If you want to use these CAs in some other app, the certs specifying the CAs can typically be exported and imported into another certificate store.

If you’re asking about GPG certificates commonly used to verify openSUSE repos,
Those are installed by default and updated automatically through its packaging system.

From time to time though, if you need to add a non-default repo, you will typically be challenged to accept or deny the certificate at the time you add the repo. If you wanted to “pre-add” the certificate beforehand, I don’t know that there is a list of certs (which could always be changing). The certificate information is stored within the file tree of every repo.