OpenSSL can use a CAPath to search for certificates to index, but you could overlook how it actually searches for them.

You can specify a CAPath in openSSL by using the function SSL_CTX_load_verify_locations, but it won’t work as is. As described in this page, it will need the certificates to be rehashed with the “c_rehash .” command.

Except on some environment like many embedded devices (the one you put busybox on), you can’t use it because it’s way too heavy (or not worth installing) for that kind of environment. You can do the same thing by issuing these commands:

for file in *.pem; do ln -s $file openssl x509 -subject_hash -noout -in$file.0; done
for file in *.pem; do ln -s $file openssl x509 -subject_hash_old -noout -in$file.0; done


The second one is optional but it’s what the c_rehash program will actually do, most likely for compatibility with older versions of openssl.