Consider using the system certificates instead of the Mozilla root store.

[sosthene-nitrokey]

By default we use the Mozilla root store certificates. Using the system certificates makes it more likely to just work by default in the case of a custom setup with a custom PKI.

nethsm-sdk-py/nethsm/client/rest.py

Line 65 in 125152e

ca_certs = certifi.where()

Rust SDK is not really affected as the client can be configured by the consumer.

[robin-nitrokey]

If we want to implement this, we should determine the correct location here so that we don’t have to modify the generated code:

nethsm-sdk-py/nethsm/__init__.py

Line 485 in 125152e

config.ssl_ca_cert = ca_certs # type: ignore[assignment]

See also:

nethsm-sdk-py/nethsm/client/configurations/api_configuration.py

Line 194 in 125152e

self.ssl_ca_cert = None

nethsm-sdk-py/nethsm/client/rest.py

Line 62 in 125152e

ca_certs = configuration.ssl_ca_cert