As layed out in the comments: https://github.com/freebsd/freebsd-src/commit/87945a082980260b52507ad5bfb3a0ce773a80da > split -p '^-+BEGIN CERTIFICATE-+$' - "$SPLITDIR/x" Unfortunately, that is broken as well. https://www.rfc-editor.org/rfc/rfc7468#section-2 says: > Textual encoding begins with a line comprising "-----BEGIN ", a > label, and "-----", and ends with a line comprising "-----END ", a > label, and "-----". and > lines are divided with CRLF, CR, or LF. Now: > # egrep '^-+BEGIN CERTIFICATE-+$' /usr/local/share/certs/siemens-pki-cert-15.crt which does not work because it does fully implement the RFC: > # cat -v /usr/local/share/certs/siemens-pki-cert-15.crt > subject: CN=Siemens Issuing CA Medium Strength Authentication 2020,OU=Siemens Trust Center,serialNumber=ZZZZZZB6,O=Siemens,L=Muenchen,ST=Bayern,C=DE^M > issuer: CN=Siemens Root CA V3.0 2016,OU=Siemens Trust Center,serialNumber=ZZZZZZA1,O=Siemens,L=Muenchen,ST=Bayern,C=DE^M > not valid before: 2020-06-24T10:50:55Z^M > not valid after: 2026-06-24T10:50:55Z^M > source: Siemens PKI^M > client cert auth strength: medium^M > subject hash: be133774^M > fingerprint (SHA-1): 5F:B4:05:3E:EE:D6:94:15:9F:25:72:59:0A:82:D5:1E:BE:FB:53:2D^M > fingerprint (SHA-256): 89:05:AD:16:17:C5:53:05:64:8E:AB:95:33:88:61:55:F8:D4:CE:5B:45:6F:17:83:FB:47:88:7B:F9:28:82:1A^M > extended key usage:^M > Transport Layer Security (TLS) World Wide Web (WWW) client authentication (1.3.6.1.5.5.7.3.2)^M > Email protection (1.3.6.1.5.5.7.3.4)^M > Signing Online Certificate Status Protocol (OCSP) responses (1.3.6.1.5.5.7.3.9)^M > -----BEGIN CERTIFICATE-----^M > MIIJkzCCB3ugAwIBAgIEfGgrtTANBgkqhkiG9w0BAQsFADCBmTELMAkGA1UEBhMC^M > REUxDzANBgNVBAgMBkJheWVybjERMA8GA1UEBwwITXVlbmNoZW4xEDAOBgNVBAoM^M > B1NpZW1lbnMxETAPBgNVBAUTCFpaWlpaWkExMR0wGwYDVQQLDBRTaWVtZW5zIFRy^M > dXN0IENlbnRlcjEiMCAGA1UEAwwZU2llbWVucyBSb290IENBIFYzLjAgMjAxNjAe^M > Fw0yMDA2MjQxMDUwNTVaFw0yNjA2MjQxMDUwNTVaMIG2MQswCQYDVQQGEwJERTEP^M > MA0GA1UECAwGQmF5ZXJuMREwDwYDVQQHDAhNdWVuY2hlbjEQMA4GA1UECgwHU2ll^M > bWVuczERMA8GA1UEBRMIWlpaWlpaQjYxHTAbBgNVBAsMFFNpZW1lbnMgVHJ1c3Qg^M > Q2VudGVyMT8wPQYDVQQDDDZTaWVtZW5zIElzc3VpbmcgQ0EgTWVkaXVtIFN0cmVu^M > Z3RoIEF1dGhlbnRpY2F0aW9uIDIwMjAwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAw^M > ggIKAoICAQDGd8o5EWM7+UrZpD9ga1nWo6hQE/haOg3U+uV2Qv9Yrq/TsR0FAQ4X^M > CzRJ7bYW4h4jkr9XyTwfhOuwW5J+iP/uSHSenEPWoekcsLYMjs2qg0CRDuY+8D9R^M > nlqQYE6fv6l4mqPymudBOm7Cy3mPS0d6BlO5bWAXyCUOZaB9IxpNk0ouqXajTB64^M > 2f59BReCORGg52l5tvVs8edsoRop94JRe7LXxn0Byqz3uwHRNTUPbnKdvNGcsWl4^M > aB66CB7Uj1dFuR9K7Uy4STap9eD5IibXvRnl7tpgsJcX+kOM5c851DJ6gA8zY2Vy^M > Upsr2SDdPwFWrDjjqqlf7530a2I+ipZruwWBSDce97WSW5XRYE2dUO3h0g68xttZ^M > JD5iveqdoAhZXf/9yDqAJe7NGzu/C9RNrguq17MpRgWuUqLUx8N/mAGRsZJFLJg9^M > AJvGSOtz77ambCdnq73Zqy07dnO0ybg6lutm3vPwV2MeIJ+aGh9ECxOIXG8cCVKG^M > orNxyNhAli+YzPJTytHLmCNqHmTlwMmJcs3v7z7QRdDOeWWV6T4vswI3KJ66EB0q^M > TDnCzssRqp9mepFQmKPK193rUGDKm+RsIluCBiY/ltKYhawUJe8Q8KztRGZoIjH6^M > 4CAgumfsGTeICd54tDFdRzxEcqlixeTrOodY3P1IHBr/vCI3ENOlqwIDAQABo4ID^M > wjCCA74wgfgGCCsGAQUFBwEBBIHrMIHoMEEGCCsGAQUFBzAChjVsZGFwOi8vYWwu^M > c2llbWVucy5uZXQvQ049WlpaWlpaQTEsTD1QS0k/Y0FDZXJ0aWZpY2F0ZTAyBggr^M > BgEFBQcwAoYmaHR0cDovL2FoLnNpZW1lbnMuY29tL3BraT9aWlpaWlpBMS5jcnQw^M > SgYIKwYBBQUHMAKGPmxkYXA6Ly9hbC5zaWVtZW5zLmNvbS91aWQ9WlpaWlpaQTEs^M > bz1UcnVzdGNlbnRlcj9jQUNlcnRpZmljYXRlMCMGCCsGAQUFBzABhhdodHRwOi8v^M > b2NzcC5zaWVtZW5zLmNvbTAfBgNVHSMEGDAWgBRwbaBQ7KnQLGedGRX+/QRzNcPi^M > 1DASBgNVHRMBAf8ECDAGAQH/AgEAMIIBaAYDVR0gBIIBXzCCAVswNQYIKwYBBAGh^M > aQcwKTAnBggrBgEFBQcCARYbaHR0cDovL3d3dy5zaWVtZW5zLmNvbS9wa2kvMDoG^M > DSsGAQQBoWkHAgIDAgMwKTAnBggrBgEFBQcCARYbaHR0cDovL3d3dy5zaWVtZW5z^M > LmNvbS9wa2kvMDoGDSsGAQQBoWkHAgIDAQMwKTAnBggrBgEFBQcCARYbaHR0cDov^M > L3d3dy5zaWVtZW5zLmNvbS9wa2kvMDoGDSsGAQQBoWkHAgIEAQMwKTAnBggrBgEF^M > BQcCARYbaHR0cDovL3d3dy5zaWVtZW5zLmNvbS9wa2kvMDcGCisGAQQBoWkHAgUw^M > KTAnBggrBgEFBQcCARYbaHR0cDovL3d3dy5zaWVtZW5zLmNvbS9wa2kvMDUGCCsG^M > AQQBoWljMCkwJwYIKwYBBQUHAgEWG2h0dHA6Ly93d3cuc2llbWVucy5jb20vcGtp^M > LzCBxwYDVR0fBIG/MIG8MIG5oIG2oIGzhj9sZGFwOi8vY2wuc2llbWVucy5uZXQv^M > Q049WlpaWlpaQTEsTD1QS0k/YXV0aG9yaXR5UmV2b2NhdGlvbkxpc3SGJmh0dHA6^M > Ly9jaC5zaWVtZW5zLmNvbS9wa2k/WlpaWlpaQTEuY3JshkhsZGFwOi8vY2wuc2ll^M > bWVucy5jb20vdWlkPVpaWlpaWkExLG89VHJ1c3RjZW50ZXI/YXV0aG9yaXR5UmV2^M > b2NhdGlvbkxpc3QwJwYDVR0lBCAwHgYIKwYBBQUHAwIGCCsGAQUFBwMEBggrBgEF^M > BQcDCTAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFA1+aaPq7mhwVqIHFPm1k6mu^M > 4EfCMA0GCSqGSIb3DQEBCwUAA4ICAQBSMbkJZsfcZppTh0KigOHozfdqrFKoXHJB^M > dFFyMuCF0jvhWr4dWhWfkN1pxNM6AA6fdJjJjJoOzQHUysMNdbcbFZl4e/4VW6Qg^M > 6h/0CkAV+VJBQYeJ34l3vQKtwPWN/yhItLU6JyxNIt3b5WxTgSXvjicazALcDz9h^M > tTnXeE39QSgH7jh2uEIZk0q9YHYYaPmAndsDa4j943FQyjayqKm9ggCfS+SHc85f^M > 3PlCq5yZyypVKzpq/DFJ2r+CCtRWzQXRTz2cvVdGueyF0gmTPlLoGIpc5rPlOWXH^M > KE07+Ibc25aY0VmIN5VGUMOEbHz0nq+aCDtnx+HfPHiS9oNQH7zyclGhgKcWwI9T^M > IdsB/IPp+oH/7v7V++Q0d81azfzvc/mCUd0CGCDDNjPqj2gOhn6IPKRU5QFIL/1h^M > ycW1PEHyC6BmIT1NkUVGWcFEXbkR4GIv72VGfupUf6xBdd36VzL1TUbrbV2tfAvB^M > OHBahZzzD4/kGKgUUCu9AEsj+BvqCe/va5h3NbB6bAGkZNDdP5coEECIHNu84ywN^M > 3IKOAVvWBzEcyDWAOu6IU9kOiDxPFq/oniLjxlEXJMEeVOYZL7B4Z2QzJakIdTAO^M > ZuIehRUdtkj6gKgu84zxgVTaYrHOa/byINCqpEsoeddKyKwCGD4s+LaeuGSSOwOv^M > cxztI32uTA==^M > -----END CERTIFICATE-----^M On: FreeBSD deblndw013x3v.ad001.siemens.net 15.0-CURRENT FreeBSD 15.0-CURRENT #0 main-n266042-fb7140b1f928: Thu Oct 19 03:02:14 UTC 2023 I assume that this was done for the content from ca_root_nss, but please keep in mind that this is not the default OpenSSL behavior. OpenSSL will not read beyond the first entry because rehash is supposed to read one cert per file. Ultimately, this should not care about ca_root_nss at all.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=f7d16a627efa8ba610eb9b8a12dd67b6cdbb2542 commit f7d16a627efa8ba610eb9b8a12dd67b6cdbb2542 Author: Dag-Erling Smørgrav <des@FreeBSD.org> AuthorDate: 2023-11-07 19:52:56 +0000 Commit: Dag-Erling Smørgrav <des@FreeBSD.org> CommitDate: 2023-11-07 19:53:09 +0000 certctl: Convert line endings before inspecting files. This ensures that certificate files or bundles with DOS or Mac line endings are recognized as such and handled identically to those with Unix line endings. PR: 274952 Reviewed by: allanjude Differential Revision: https://reviews.freebsd.org/D42490 usr.sbin/certctl/certctl.sh | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-)