That’s very good to know, I assumed you’d find it in ca-certificates 
This is exactly why I’m using Fedora for work instead of Ubuntu - sane certificate management.
Oh well. Think I’ll just drop a script to /etc/init.d to do this on my behalf, and symlink it to /etc/rc.d/S99...
test -f /etc/ssl/certs/my-ca.crt \
||( openssl x509 -in /root/ca/pki/ca-root.crt -out /etc/ssl/certs/my-ca.crt \
&& c_rehash )
grep $(head -2 /etc/ssl/certs/my-ca.crt | tail -1) /etc/ssl/certs/ca-certificates.crt \
|| cat /etc/ssl/certs/my-ca.crt >> /etc/ssl/certs/ca-certificates.crt
Dirty, but should do the trick. Anyway, it’s not worse than keeping msmtp a wrapper over the actual msmtp.
Ummm no. It’s a home lab. I want stuff to start throwing SSL errors unless I had installed my CA on the device, on purpose 
Thank you very much for both the ca_bundle and the c_rehash pointers!